LDAP Bind through .NET DirectoryEntry always succeeds

Question

I am looking up an arbitrary Windows account in a forms-based C# login scenario using the user's e-mail address as the key. Locating the user works fine and I get back my derived UserPrincipalEx fine.

However, when I try to validate a login using a Bind, it always succeeds:

// we can't use ValidateCredentials because it's too broken - multiple attempts each time,
// can't always negotiate properly, etc.
//if (!_principalContext.ValidateCredentials(userPrincipal.UserPrincipalName, password)) {
//    return LoginValidationResults.ValidationFailed;
//}
try {
    using (var directoryEntry = new DirectoryEntry("LDAP://" + _domain + "/" + _principalContext.Container,
        userPrincipal.UserPrincipalName, password, AuthenticationTypes.FastBind)) {
        var forceBind = directoryEntry.NativeObject;
        Log.DebugFormat("Validation successful ({0}).", forceBind);
        return LoginValidationResults.Valid;
    }                    
}
catch (COMException ex) {
    if (ex.ErrorCode != -2147023570) {
        Log.DebugFormat("Validation exception: {0}", ex.ToString());
        throw;
    }
    Log.Debug("Validation failed.");
    return LoginValidationResults.ValidationFailed;
}

In some cases - and I can't figure out what they are yet - the account always binds successfully, no matter what password I give.

Why could this be?

Answer 1

So I looked into this using some packet captures and saw that all of the succeeding binds were using a blank username.

Sure enough, the users in question had a blank (actually null - not set) UPN. This should never happen in our scenario but it did. Because it's a broken user case, I just detect that and throw an exception.