I'm working with the Active Directory DirectoryServices.AccountManagement
API, and am attempting to connect to the server using the following code:
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, (server + ":" + port), loginUsername, loginPassword);
The first thing I would like to do is check that the loginUsername
and loginPassword
are valid and have enough permissions in the Active Directory instance. To achieve this, I call the following:
bool x = principalContext.ValidateCredentials(null, null);
According to the documentation , this validates the credentials specified in the constructor since null
is passed. In the debugger, the following errors are thrown, indicating that the credentials are false:
However, the actual result to the ValidateCredentials check is strangely enough returning true
and the code thus continues to execute.
How can this be solved?
EDIT:
Here is another screenshot elaborating on the errors. As shown in the screenshot, I am calling the ValidateCredentials
method, and passing null
values for the username and password, which according to the documentation will attempt to validate the credentials passed in the PrincipalContext class' constructor.
The screenshot also shows how the username and passwords passed are both "test", which are invalid and do not exist in the Active Directory. The method is returning true, even though there are a number of errors displayed.
You simply need to stop looking up null values...
if (string.IsNullOrEmpty(password) || string.IsNullOrEmpty(username)) return false;
I ran some tests
using (var pc = new PrincipalContext(ContextType.Domain, "mydomain.lan")){
var isOk1 = pc.ValidateCredentials(null,null); //Always true
var isOk2 = pc.ValidateCredentials("notexists","wrong"); //false
var isOk2 = pc.ValidateCredentials("existing","correct"); //true
}
and
using (var pc = new PrincipalContext(ContextType.Domain, "mydomain.lan", "notright","wrong")){
var isOk1 = pc.ValidateCredentials(null,null); //Always true
var isOk2 = pc.ValidateCredentials("notexists","wrong"); //false
var isOk2 = pc.ValidateCredentials("existing","correct"); //true
}
So the ValidateCredentials does not really need a user in the context... If you provide a false one a following lookup for say, users groups, will fail however
Yes, documentation reads:
The ValidateCredentials method binds to the server specified in the constructor. If the username and password parameters are null, the credentials specified in the constructor are validated. If no credential were specified in the constructor, and the username and password parameters are null, this method validates the default credentials for the current principal.
( http://msdn.microsoft.com/en-us/library/bb154889%28v=vs.100%29.aspx )
But I can't verify, that the creds in the constructor is in play
EDIT: You have already accepted, but maybe you can use this method for your problem?
using (var pc = new PrincipalContext(ContextType.Domain, "domain.lan", username, password))
{
if (pc.ValidateCredentials(username, password))
{
try
{
using (var searcher = new PrincipalSearcher(new UserPrincipal(pc)))
{
searcher.QueryFilter.SamAccountName = username;
Principal u = searcher.FindOne();
}
}
catch (Exception)
{
return "no rights to work on ad";
}
}
else
{
return "user cannot login";
}
}
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.