某些用户的 PrincipalContext.ValidateCredentials 失败？

Question

I have the following code :

public void AuthenticateActiveDirectoryAccount(string username, string password)
    {
        PrincipalContext context;
        var envSettings = _settingsService.GetGlobalSetting<EnvironmentSettings>().Props;
        string ADServer = envSettings.ActiveDirectory.ServerURI;
        string ADUserName = envSettings.ActiveDirectory.Username;
        string ADUserPassword = envSettings.ActiveDirectory.Password;
        string account = null;

        account = username.ToLower();

        if (ADUserName.Length > 0)
            context = new PrincipalContext(ContextType.Domain, ADServer, ADUserName, ADUserPassword);
        else
            context = new PrincipalContext(ContextType.Domain, ADServer);

        using (context)
        {
            if (!context.ValidateCredentials(account, password))
            {
                throw new Exception();
            }
        }
    }

This works great for most users but some get the following exception :

The server does not handle directory requests : System.DirectoryServices.Protocols.ErrorChecking.CheckAndSetLdapError(Int32 error)\\r\\n vid System.DirectoryServices.Protocols.LdapSessionOptions.FastConcurrentBind()\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator.BindLdap(NetworkCredential creds, ContextOptions contextOptions)\\r\\n vid System.DirectoryServices.AccountManagement.CredentialValidator.Validate(String userName, String password)\\r\\n vid System.DirectoryServices.AccountManagement.PrincipalContext.ValidateCredentials(String userName, String password)

First I thought that failing users do not have permission to call the AD but Im sure that the AdServer, AdUserName and AdUserPassword is set with the global AD account that should have access.

Why do some users get this exception?

Answer 1

Changing the ValidateCredentials to this solves the problem :

context.ValidateCredentials(account, password, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing)

It is however probably still a question of security of the Active Directory account.

Answer 2

如果没有域但工作组，它将与

context.ValidateCredentials(account, password, ContextOptions.Negotiate)