PrincipalContext.ValidateCredentials 调用如何在 DC 上注册或标记?
[英]How is PrincipalContext.ValidateCredentials call registered or marked on DC?
问题描述
I am using PrincipalContext.ValidateCredentials method from System.DirectoryServices.AccountManagement namespace to validate user credentials against Active Directory LDAP server.
我正在使用System.DirectoryServices.AccountManagement命名空间中的PrincipalContext.ValidateCredentials方法针对 Active Directory LDAP 服务器验证用户凭据。 Sample of code:代码示例:
private bool CheckIfCredentialsAreValidInDomain(string pLogin, string pPassword)
{
bool areCredentialsValidInDomain = true;
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
{
areCredentialsValidInDomain = context.ValidateCredentials(login, password);
}
return areCredentialsValidInDomain;
}
There is one domain and several (6 or more) DC in customer's environment.客户环境中有一个域和多个(6 个或更多)DC。 I don't pass DC name into PrincipalContext constructor - assuming DC Locator Service is doing its job - it is not important for me which particular DC is used from list of available DCs.我没有将 DC 名称传递给PrincipalContext构造函数——假设 DC Locator Service 正在完成它的工作——对我来说,从可用 DC 列表中使用哪个特定 DC 并不重要。 Everything works great but I have have case of user who doesn't directly log on the domain (before starting application where this validanting is used) but his computer is physically connected to the customer's network.一切正常,但我有一个用户不直接登录域的情况(在启动使用此验证的应用程序之前),但他的计算机物理连接到客户的网络。
This user's domain account has been recently disabled.此用户的域帐户最近已被禁用。 Reason: he didn't log in to the domain for the last X months.原因:他最近 X 个月没有登录域。 But until then he was using app on daily basis so ValidateCredentials method was being called and returning true.但在那之前,他每天都在使用应用程序,因此ValidateCredentials方法被调用并返回 true。 But for unclear reason this action was "transaparent" for DC and this validation was not marked.但由于不清楚的原因,此操作对 DC 来说是“透明的”,并且未标记此验证。
So how does ValidateCredentials work?那么ValidateCredentials是如何工作的呢? Does it set LastLogon and lastLogonTimestamp user's attribute or just tells us if credentials are valid or not?它是否设置了 LastLogon 和 lastLogonTimestamp 用户的属性,或者只是告诉我们凭据是否有效? Does it register any Event log entry on DC?它是否在 DC 上注册任何事件日志条目?
1 个解决方案
解决方案1
0 2022-08-31 14:57:26
The source code for PrincipalContext is available now. PrincipalContext的源代码现在可用。 ValidateCredentials() calls CredentialValidator.Validate() (an internal class). ValidateCredentials()调用CredentialValidator.Validate() (一个内部类)。
That eventually calls lockedLdapBind() , which calls LdapConnection.Bind() with the credentials.这最终调用lockedLdapBind() ,它使用凭据调用LdapConnection.Bind() 。
It does actually test the credentials against a server.它确实会针对服务器测试凭据。 So either that part of your code is not actually being run, or the account being tested isn't really disabled.因此,您的代码的那一部分实际上并未运行,或者正在测试的帐户并未真正禁用。
Something I noticed in your code is that you're passing the variables login and password to ValidateCredentials .我在您的代码中注意到的一点是您将变量login和password传递给ValidateCredentials 。 However, the parameters for your method are called pLogin and pPassword .但是,您的方法的参数称为pLogin和pPassword 。 Is that just a typo in your question, or is that really how it is in your code?这只是您问题中的一个错字,还是您的代码中确实如此? If that is accurate, then you're not actually testing the credentials passed to your method.如果这是准确的,那么您实际上并没有测试传递给您的方法的凭据。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.