I am trying to validate a user's login credentials based on their organizational unit in Active Directory. How can I do this?
This is my attempt so far, but I can't get it to specify by OU.
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain,
"domain", "OU=LRF,OU=HR,OU=Users, DC=domain, DC=local"))
{
// validate the credentials
bool isValid = pc.ValidateCredentials(textBox1.Text, textBox2.Text);
if (isValid == true)
{
new Form1().Show();
}
else MessageBox.Show("Access Denied");
}
Related
I am using AD authentication in my application:
bool _isValid;
using (var pc = new PrincipalContext(ContextType.Domain, DomainPath))
{
isValid = pc.ValidateCredentials(username, password, ContextOptions.Negotiate);
}
Is there any way to find out if I am getting isValid set to false because of an invalid username or an invalid password?
You can't be sure directly which one is invalid. But you can try to retrieve the user from active directory to determine which one is wrong after false validation like this;
bool _isValid;
using (var pc = new PrincipalContext(ContextType.Domain, DomainPath))
{
isValid = pc.ValidateCredentials(username, password, ContextOptions.Negotiate);
if (!isValid)
{
var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, username);
if (user == null)
{
//User doesn't exist
}
else
{
//Password is invalid
}
}
}
I need to let users bind there accounts to the Active Directory. This means that admin needs a GUI where he/she can write a Active Directory account like this : MyDomain\MyName and then get a validation if the users exists before save.
Im using this code to validate the name :
public static bool CheckActiveDirectoryAccount(string account)
{
string ADServer = null;
string ADDomain = null;
string ADUserName = null;
string ADUserPassword = null;
SetADSettings(out ADServer, out ADDomain, out ADUserName, out ADUserPassword);
using (PrincipalContext context = new PrincipalContext(ContextType.Domain, ADServer, ADUserName, ADUserPassword))
{
using (UserPrincipal user = UserPrincipal.FindByIdentity(context, account))
{
if(user != null)
return true;
else
return false;
}
}
}
The problem with this code is that there seems to be no way to check the user for a specific domain? Instead I have to input the server, if I try to input the domain instead there will be exception(Server not found).
How do I let the admin enter domain and username of a AD account and then check it against the AD?
I am able to pass the domain into the principalcontext without issue, I'm not passing in the server. I would expect this to work for you.
public static bool CheckActiveDirectoryAccount(string account, string domain)
{
using (var pc = new PrincipalContext(ContextType.Domain, domain))
{
// Find a user
UserPrincipal user = UserPrincipal.FindByIdentity(pc, account);
if (user == null)
return false;
return true;
}
}
I have noticed poor performance when passing in the NetBIOS domain name, though it does work. As a result I pass in the DNS domain name whenever possible.
I ended up with this :
public static string CheckActiveDirectoryAccount(string account)
{
UserPrincipal user;
PrincipalContext context;
List<string> userPrincipalNameList;
string ADServer = null;
string ADUserName = null;
string ADUserPassword = null;
string userAccount;
account = account.ToLower();
GetADSettings(out ADServer, out ADUserName, out ADUserPassword);
if (ADUserName.Length > 0)
context = new PrincipalContext(ContextType.Domain, ADServer, null, ADUserName, ADUserPassword);
else
context = new PrincipalContext(ContextType.Domain, ADServer);
using (context)
{
if((user = UserPrincipal.FindByIdentity(context, account)) == null)
{
if(account.Contains("\\"))
{
userPrincipalNameList = user.UserPrincipalName.Split('\\').ToList();
if (userPrincipalNameList.Count > 0)
user = UserPrincipal.FindByIdentity(context, userPrincipalNameList[0]);
}
}
if (user != null)
{
using (user)
{
userPrincipalNameList = user.UserPrincipalName.Split('#').ToList();
userAccount = userPrincipalNameList.First();
if (userPrincipalNameList.Count > 1)
userAccount = userPrincipalNameList.Last() + "\\" + userAccount;
if (user != null)
return userAccount.ToLower();
}
}
}
return string.Empty;
}
Creating a web service which talks to Active Directory to verify users and determine which groups they belong to.
I started out with the verification process, and got this working:
public bool AuthenticateAdUser(string username, string password)
{
//in the real code, these come from config
string domain = "TestDomain";
string server = 666.666.666.666;
string authType = "Basic";
string useSsl = "false";
AuthType atype = (AuthType)Enum.Parse(typeof(AuthType), authType);
using (var ldapConnection = new LdapConnection(server))
{
var networkCredential = new NetworkCredential(username, password, domain);
ldapConnection.SessionOptions.SecureSocketLayer = Convert.ToBoolean(useSsl);
ldapConnection.AutoBind = false;
ldapConnection.AuthType = atype;
ldapConnection.Bind(networkCredential);
}
// If the bind succeeds, the credentials are valid
return true;
}
However, I'm not clear on how I can use that LdapConnection object to work with groups. The documentation and examples suggest you use PrinicpalContext for that purpose. So I tried this.
string domain = "TestDomain";
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain))
{
using (PrincipalSearchResult<Principal> src = UserPrincipal.FindByIdentity(pc, username).GetGroups(pc))
{
src.ToList().ForEach(sr => result.Add(sr.SamAccountName));
}
}
This fails, claiming it can't contact the Active Directory server. Using a DNS style name ("TestDomain.local") doesn't seem to help.
This does at least spin up a network principal:
string server = "666.666.666.666";
using (PrincipalContext pc = new PrincipalContext(ContextType.Machine, server))
{
using (PrincipalSearchResult<Principal> src = UserPrincipal.FindByIdentity(pc, username).GetGroups(pc))
{
src.ToList().ForEach(sr => result.Add(sr.SamAccountName));
}
}
But when you try and do anything with it, it fails with "Network path not found".
Any ideas on why the Principal won't work, or how I can use the LdapConnection to query groups?
We have a program running on different computers in our network, and this program needs to login with an specific administrator account to execute some tasks.
Our supplier wrote the below code to check whether the user is a local admin or not.
The question is:
If the admin user has logged in the computer before, will the credentials be saved in the cache so the below code would work even without a network connection?
If so, how can we force those credentials to be saved?
Else, is there any alternative so we can login with the credentials from the cache?
static bool UserExists(string domain, string username, string password)
{
if (System.Environment.GetEnvironmentVariable("UserDomain") != null)
{
if (string.Compare(System.Environment.GetEnvironmentVariable("UserDomain"), domain, true) != 0)
{
return false;
}
}
string filter = string.Format("(&(ObjectClass={0})(sAMAccountName={1}))", "person", username);
string[] properties = new string[] { "fullname" };
using (DirectoryEntry adRoot = new DirectoryEntry("LDAP://" + domain, null, null, AuthenticationTypes.Secure))
using (DirectorySearcher searcher = new DirectorySearcher(adRoot))
{
adRoot.Username = username;
adRoot.Password = password;
searcher.SearchScope = SearchScope.Subtree;
searcher.ReferralChasing = ReferralChasingOption.All;
searcher.PropertiesToLoad.AddRange(properties);
searcher.Filter = filter;
if (searcher.FindOne() != null)
{
// If you want to see the user details: searcher.FindOne().GetDirectoryEntry();
return true;
}
}
return false;
}
Thanks in advance
I'm trying to do a couple of things. First off this c# program verifies against Active Directory user credentials using:
var ADentry = new DirectoryEntry("LDAP://domain", uname, pword);
But obviously you need to pass in the username and password somehow. Is there a way that you can retrieve it automatically when the user signs in on the network from Active Directory and use that in the fields without having the username type in the username and password.
If not, I made it so the user can type in their credentials in the console. But if it doesn't work it ends up hanging forever. What type of code can I use to timeout after say 1 minute if this keeps hanging otherwise it hangs forever? thanks
I was trying to do an LDAP query and the following will do it for you. Most of it are methods but you may be interested in this line of code: PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ContextOptions.Negotiate);
The full code is here:
IsUserGroupMember("username", "group name the user is in");
public string sDomain = "your.domainName.com"
public string sDefaultOU = OU=**,OU=**,DC=**,DC=**,DC=**
public void IsUserGroupMember(string sUserName, string sGroupName)
{
try
{
UserPrincipal oUserPrincipal = GetUser(sUserName);
GroupPrincipal oGroupPrincipal = GetGroup(sGroupName);
if (oUserPrincipal != null && oGroupPrincipal != null)
{
//do something
}
else
{
//nothing
}
}
catch (PrincipalServerDownException)
{
throw;
}
catch (Exception)
{
throw;
}
}
public UserPrincipal GetUser(String sUserName)
{
PrincipalContext oPrincipalContext = GetPrincipalContext();
UserPrincipal oUserPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, sUserName);
return oUserPrincipal;
}
public GroupPrincipal GetGroup(string sGroupName)
{
PrincipalContext oPrincipalContext = GetPrincipalContext();
GroupPrincipal oGroupPrincipal = GroupPrincipal.FindByIdentity(oPrincipalContext, sGroupName);
return oGroupPrincipal;
}
public PrincipalContext GetPrincipalContext()
{
PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, sDomain, sDefaultOU, ContextOptions.Negotiate);
return oPrincipalContext;
}
I hope this code will be of use for you.