Validate a username and password against Active Directory

Question

How can I validate a username and password against Active Directory  I simply want to check if a username and password are correct

User · Answer

My Simple Function    private bool IsValidActiveDirectoryUser string activeDirectoryServerDomain  string username  string password                try                       DirectoryEntry de   new DirectoryEntry  LDAP       activeDirectoryServerDomain  username         activeDirectoryServerDomain  password  AuthenticationTypes Secure               DirectorySearcher ds   new DirectorySearcher de               ds FindOne                return true                    catch    Exception ex                        return false

User · Answer

If you work on  NET 3 5 or newer  you can use the System DirectoryServices AccountManagement namespace and easily verify your credentials      create a  principal context  - e g  your domain  could be machine  too  using PrincipalContext pc   new PrincipalContext ContextType Domain   YOURDOMAIN             validate the credentials     bool isValid   pc ValidateCredentials  myuser    mypassword        It s simple  it s reliable  it s 100  C  managed code on your end - what more can you ask for   -   Read all about it here    Managing Directory Security Principals in the  NET Framework 3 5 MSDN docs on System DirectoryServices AccountManagement   Update   As outlined in this other SO question  and its answers   there is an issue with this call possibly returning True for old passwords of a user  Just be aware of this behavior and don t be too surprised if this happens  -   thanks to  MikeGledhill for pointing this out

User · Answer

Probably easiest way is to PInvoke LogonUser Win32 API e g      http   www pinvoke net default aspx advapi32 LogonUser html   MSDN Reference here        http   msdn microsoft com en-us library aa378184 aspx   Definitely want to use logon type  LOGON32 LOGON NETWORK  3    This creates a lightweight token only - perfect for AuthN checks    other types can be used to build interactive sessions etc

User · Answer

If you are stuck with  NET 2 0 and managed code  here is another way that works whith local and domain accounts   using System  using System Collections Generic  using System Text  using System Security  using System Diagnostics   static public bool Validate string domain  string username  string password        try               Process proc   new Process            proc StartInfo   new ProcessStartInfo                         FileName    no matter xyz               CreateNoWindow   true              WindowStyle   ProcessWindowStyle Hidden              WorkingDirectory   Environment GetFolderPath Environment SpecialFolder CommonApplicationData               UseShellExecute   false              RedirectStandardError   true              RedirectStandardOutput   true              RedirectStandardInput   true              LoadUserProfile   true              Domain   String IsNullOrEmpty domain         domain              UserName   username              Password   Credentials ToSecureString password                     proc Start            proc WaitForExit              catch  System ComponentModel Win32Exception ex                switch  ex NativeErrorCode                        case 1326  return false              case 2  return true              default  throw ex                      catch  Exception ex                throw ex             return false

User · Answer

Yet another  NET call to quickly authenticate LDAP credentials   using System DirectoryServices   using var DE   new DirectoryEntry path  username  password        try               DE RefreshCache       This will force credentials validation           catch  COMException ex                   Validation failed - handle how you want

User · Answer

Try this code  NOTE  Reported to not work on windows server 2000     region NTLogonUser  region Direct OS LogonUser Code  DllImport   advapi32 dll    private static extern bool LogonUser String lpszUsername       String lpszDomain  String lpszPassword  int dwLogonType       int dwLogonProvider  out int phToken     DllImport  Kernel32 dll    private static extern int GetLastError     public static bool LogOnXP String sDomain  String sUser  String sPassword       int token1  ret     int attmpts   0      bool LoggedOn   false      while   LoggedOn  amp  amp  attmpts  lt  2             LoggedOn  LogonUser sUser  sDomain  sPassword  3  0  out token1         if  LoggedOn  return  true         else                  switch  ret   GetLastError                           case  126                     if  attmpts    gt  2                    throw new LogonException                         Specified module could not be found  error code                             ret ToString                    break               case  1314                   throw new LogonException                     Specified module could not be found  error code                             ret ToString                  case  1326                      edited out based on comment                    throw new LogonException                       Unknown user name or bad password                 return false               default                  throw new LogonException                     Unexpected Logon Failure  Contact Administrator                                            return false      endregion Direct Logon Code  endregion NTLogonUser   except you ll need to create your own custom exception for  LogonException

User · Answer

If you are stuck with  NET 2 0 and managed code  here is another way that works whith local and domain accounts   using System  using System Collections Generic  using System Text  using System Security  using System Diagnostics   static public bool Validate string domain  string username  string password        try               Process proc   new Process            proc StartInfo   new ProcessStartInfo                         FileName    no matter xyz               CreateNoWindow   true              WindowStyle   ProcessWindowStyle Hidden              WorkingDirectory   Environment GetFolderPath Environment SpecialFolder CommonApplicationData               UseShellExecute   false              RedirectStandardError   true              RedirectStandardOutput   true              RedirectStandardInput   true              LoadUserProfile   true              Domain   String IsNullOrEmpty domain         domain              UserName   username              Password   Credentials ToSecureString password                     proc Start            proc WaitForExit              catch  System ComponentModel Win32Exception ex                switch  ex NativeErrorCode                        case 1326  return false              case 2  return true              default  throw ex                      catch  Exception ex                throw ex             return false

User · Answer

Several solutions presented here lack the ability to differentiate between a wrong user   password  and a password that needs to be changed  That can be done in the following way   using System  using System DirectoryServices Protocols  using System Net   namespace ProtocolTest       class Program               static void Main string   args                        try                               LdapConnection connection   new LdapConnection  ldap fabrikam com                    NetworkCredential credential   new NetworkCredential  user    password                    connection Credential   credential                  connection Bind                    Console WriteLine  logged in                              catch  LdapException lexc                                String error   lexc ServerErrorMessage                  Console WriteLine lexc                             catch  Exception exc                                Console WriteLine exc                                     If the users password is wrong  or the user doesn t exists  error will contain    8009030C  LdapErr  DSID-0C0904DC  comment  AcceptSecurityContext error  data 52e  v1db1     if the users password needs to be changed  it will contain    8009030C  LdapErr  DSID-0C0904DC  comment  AcceptSecurityContext error  data 773  v1db1   The lexc ServerErrorMessage data value is a hex representation of the Win32 Error Code   These are the same error codes which would be returned by otherwise invoking the Win32 LogonUser API call   The list below summarizes a range of common values with hex and decimal values   525  user not found   1317  52e  invalid credentials   1326  530  not permitted to logon at this time   1328  531  not permitted to logon at this workstation   1329  532  password expired   1330  533  account disabled   1331   701  account expired   1793  773  user must reset password  1907  775  user account locked  1909

User · Answer

Unfortunately there is no  simple  way to check a users credentials on AD   With every method presented so far  you may get a false-negative  A user s creds will be valid  however AD will return false under certain circumstances    User is required to Change Password at Next Logon  User s password has expired    ActiveDirectory will not allow you to use LDAP to determine if a password is invalid due to the fact that a user must change password or if their password has expired   To determine password change or password expired  you may call Win32 LogonUser    and check the windows error code for the following 2 constants    ERROR PASSWORD MUST CHANGE   1907  ERROR PASSWORD EXPIRED   1330

User · Answer

very simple solution using DirectoryServices   using System DirectoryServices     srvr   ldap server  e g  LDAP   domain com   usr   user name   pwd   user password public bool IsAuthenticated string srvr  string usr  string pwd        bool authenticated   false       try               DirectoryEntry entry   new DirectoryEntry srvr  usr  pwd           object nativeObject   entry NativeObject          authenticated   true            catch  DirectoryServicesCOMException cex                  not authenticated  reason why is in cex           catch  Exception ex                  not authenticated due to some other exception  this is optional             return authenticated      the NativeObject access is required to detect a bad user password

User · Answer

My Simple Function    private bool IsValidActiveDirectoryUser string activeDirectoryServerDomain  string username  string password                try                       DirectoryEntry de   new DirectoryEntry  LDAP       activeDirectoryServerDomain  username         activeDirectoryServerDomain  password  AuthenticationTypes Secure               DirectorySearcher ds   new DirectorySearcher de               ds FindOne                return true                    catch    Exception ex                        return false

User · Answer

If you work on  NET 3 5 or newer  you can use the System DirectoryServices AccountManagement namespace and easily verify your credentials      create a  principal context  - e g  your domain  could be machine  too  using PrincipalContext pc   new PrincipalContext ContextType Domain   YOURDOMAIN             validate the credentials     bool isValid   pc ValidateCredentials  myuser    mypassword        It s simple  it s reliable  it s 100  C  managed code on your end - what more can you ask for   -   Read all about it here    Managing Directory Security Principals in the  NET Framework 3 5 MSDN docs on System DirectoryServices AccountManagement   Update   As outlined in this other SO question  and its answers   there is an issue with this call possibly returning True for old passwords of a user  Just be aware of this behavior and don t be too surprised if this happens  -   thanks to  MikeGledhill for pointing this out

User · Answer

very simple solution using DirectoryServices   using System DirectoryServices     srvr   ldap server  e g  LDAP   domain com   usr   user name   pwd   user password public bool IsAuthenticated string srvr  string usr  string pwd        bool authenticated   false       try               DirectoryEntry entry   new DirectoryEntry srvr  usr  pwd           object nativeObject   entry NativeObject          authenticated   true            catch  DirectoryServicesCOMException cex                  not authenticated  reason why is in cex           catch  Exception ex                  not authenticated due to some other exception  this is optional             return authenticated      the NativeObject access is required to detect a bad user password

User · Answer

very simple solution using DirectoryServices   using System DirectoryServices     srvr   ldap server  e g  LDAP   domain com   usr   user name   pwd   user password public bool IsAuthenticated string srvr  string usr  string pwd        bool authenticated   false       try               DirectoryEntry entry   new DirectoryEntry srvr  usr  pwd           object nativeObject   entry NativeObject          authenticated   true            catch  DirectoryServicesCOMException cex                  not authenticated  reason why is in cex           catch  Exception ex                  not authenticated due to some other exception  this is optional             return authenticated      the NativeObject access is required to detect a bad user password

User · Answer

Windows authentication can fail for various reasons  an incorrect user name or password  a locked account  an expired password  and more  To distinguish between these errors  call the LogonUser API function via P Invoke and check the error code if the function returns false   using System  using System ComponentModel  using System Runtime InteropServices   using Microsoft Win32 SafeHandles   public static class Win32Authentication       private class SafeTokenHandle   SafeHandleZeroOrMinusOneIsInvalid               private SafeTokenHandle      called by P Invoke               base true                               protected override bool ReleaseHandle                         return CloseHandle this handle                        private enum LogonType   uint               Network   3     LOGON32 LOGON NETWORK            private enum LogonProvider   uint               WinNT50   3     LOGON32 PROVIDER WINNT50             DllImport  kernel32 dll   SetLastError   true       private static extern bool CloseHandle IntPtr handle         DllImport  advapi32 dll   SetLastError   true       private static extern bool LogonUser          string userName  string domain  string password          LogonType logonType  LogonProvider logonProvider          out SafeTokenHandle token        public static void AuthenticateUser string userName  string password                string domain   null          string   parts   userName Split                if  parts Length    2                        domain   parts 0               userName   parts 1                      SafeTokenHandle token          if  LogonUser userName  domain  password  LogonType Network  LogonProvider WinNT50  out token               token Dispose            else             throw new Win32Exception       calls Marshal GetLastWin32Error             Sample usage   try       Win32Authentication AuthenticateUser  EXAMPLE  user    P ssw0rd           Or  Win32Authentication AuthenticateUser  user example com    P ssw0rd      catch  Win32Exception ex        switch  ex NativeErrorCode                case 1326     ERROR LOGON FAILURE  incorrect user name or password                             case 1327     ERROR ACCOUNT RESTRICTION                            case 1330     ERROR PASSWORD EXPIRED                            case 1331     ERROR ACCOUNT DISABLED                            case 1907     ERROR PASSWORD MUST CHANGE                            case 1909     ERROR ACCOUNT LOCKED OUT                            default     Other             break            Note  LogonUser requires a trust relationship with the domain you re validating against

User · Answer

A full  Net solution is to use the classes from the System DirectoryServices namespace  They allow to query an AD server directly  Here is a small sample that would do this   using  DirectoryEntry entry   new DirectoryEntry          entry Username    here goes the username you want to validate       entry Password    here goes the password        DirectorySearcher searcher   new DirectorySearcher entry        searcher Filter     objectclass user         try               searcher FindOne              catch  COMException ex                if  ex ErrorCode    -2147023570                           Login or password is incorrect                       FindOne   didn t throw  the credentials are correct   This code directly connects to the AD server  using the credentials provided  If the credentials are invalid  searcher FindOne   will throw an exception  The ErrorCode is the one corresponding to the  invalid username password  COM error   You don t need to run the code as an AD user  In fact  I succesfully use it to query informations on an AD server  from a client outside the domain

User · Answer

Unfortunately there is no  simple  way to check a users credentials on AD   With every method presented so far  you may get a false-negative  A user s creds will be valid  however AD will return false under certain circumstances    User is required to Change Password at Next Logon  User s password has expired    ActiveDirectory will not allow you to use LDAP to determine if a password is invalid due to the fact that a user must change password or if their password has expired   To determine password change or password expired  you may call Win32 LogonUser    and check the windows error code for the following 2 constants    ERROR PASSWORD MUST CHANGE   1907  ERROR PASSWORD EXPIRED   1330

User · Answer

Probably easiest way is to PInvoke LogonUser Win32 API e g      http   www pinvoke net default aspx advapi32 LogonUser html   MSDN Reference here        http   msdn microsoft com en-us library aa378184 aspx   Definitely want to use logon type  LOGON32 LOGON NETWORK  3    This creates a lightweight token only - perfect for AuthN checks    other types can be used to build interactive sessions etc

User · Answer

We do this on our Intranet  You have to use System DirectoryServices   Here are the guts of the code  using  DirectoryEntry adsEntry   new DirectoryEntry path  strAccountId  strPassword         using  DirectorySearcher adsSearcher   new DirectorySearcher adsEntry                   adsSearcher Filter      amp  objectClass user  objectCategory person             adsSearcher Filter     sAMAccountName     strAccountId                 try                       SearchResult adsSearchResult   adsSearcher FindOne                bSucceeded   true               strAuthenticatedBy    Active Directory               strError    User has been authenticated by Active Directory                      catch  Exception ex                           Failed to authenticate  Most likely it is caused by unknown user                id or bad strPassword              strError   ex Message                    finally                       adsEntry Close

User · Answer

If you work on  NET 3 5 or newer  you can use the System DirectoryServices AccountManagement namespace and easily verify your credentials      create a  principal context  - e g  your domain  could be machine  too  using PrincipalContext pc   new PrincipalContext ContextType Domain   YOURDOMAIN             validate the credentials     bool isValid   pc ValidateCredentials  myuser    mypassword        It s simple  it s reliable  it s 100  C  managed code on your end - what more can you ask for   -   Read all about it here    Managing Directory Security Principals in the  NET Framework 3 5 MSDN docs on System DirectoryServices AccountManagement   Update   As outlined in this other SO question  and its answers   there is an issue with this call possibly returning True for old passwords of a user  Just be aware of this behavior and don t be too surprised if this happens  -   thanks to  MikeGledhill for pointing this out

User · Answer

Try this code  NOTE  Reported to not work on windows server 2000     region NTLogonUser  region Direct OS LogonUser Code  DllImport   advapi32 dll    private static extern bool LogonUser String lpszUsername       String lpszDomain  String lpszPassword  int dwLogonType       int dwLogonProvider  out int phToken     DllImport  Kernel32 dll    private static extern int GetLastError     public static bool LogOnXP String sDomain  String sUser  String sPassword       int token1  ret     int attmpts   0      bool LoggedOn   false      while   LoggedOn  amp  amp  attmpts  lt  2             LoggedOn  LogonUser sUser  sDomain  sPassword  3  0  out token1         if  LoggedOn  return  true         else                  switch  ret   GetLastError                           case  126                     if  attmpts    gt  2                    throw new LogonException                         Specified module could not be found  error code                             ret ToString                    break               case  1314                   throw new LogonException                     Specified module could not be found  error code                             ret ToString                  case  1326                      edited out based on comment                    throw new LogonException                       Unknown user name or bad password                 return false               default                  throw new LogonException                     Unexpected Logon Failure  Contact Administrator                                            return false      endregion Direct Logon Code  endregion NTLogonUser   except you ll need to create your own custom exception for  LogonException

User · Answer

A full  Net solution is to use the classes from the System DirectoryServices namespace  They allow to query an AD server directly  Here is a small sample that would do this   using  DirectoryEntry entry   new DirectoryEntry          entry Username    here goes the username you want to validate       entry Password    here goes the password        DirectorySearcher searcher   new DirectorySearcher entry        searcher Filter     objectclass user         try               searcher FindOne              catch  COMException ex                if  ex ErrorCode    -2147023570                           Login or password is incorrect                       FindOne   didn t throw  the credentials are correct   This code directly connects to the AD server  using the credentials provided  If the credentials are invalid  searcher FindOne   will throw an exception  The ErrorCode is the one corresponding to the  invalid username password  COM error   You don t need to run the code as an AD user  In fact  I succesfully use it to query informations on an AD server  from a client outside the domain

User · Answer

Yet another  NET call to quickly authenticate LDAP credentials   using System DirectoryServices   using var DE   new DirectoryEntry path  username  password        try               DE RefreshCache       This will force credentials validation           catch  COMException ex                   Validation failed - handle how you want

User · Answer

Try this code  NOTE  Reported to not work on windows server 2000     region NTLogonUser  region Direct OS LogonUser Code  DllImport   advapi32 dll    private static extern bool LogonUser String lpszUsername       String lpszDomain  String lpszPassword  int dwLogonType       int dwLogonProvider  out int phToken     DllImport  Kernel32 dll    private static extern int GetLastError     public static bool LogOnXP String sDomain  String sUser  String sPassword       int token1  ret     int attmpts   0      bool LoggedOn   false      while   LoggedOn  amp  amp  attmpts  lt  2             LoggedOn  LogonUser sUser  sDomain  sPassword  3  0  out token1         if  LoggedOn  return  true         else                  switch  ret   GetLastError                           case  126                     if  attmpts    gt  2                    throw new LogonException                         Specified module could not be found  error code                             ret ToString                    break               case  1314                   throw new LogonException                     Specified module could not be found  error code                             ret ToString                  case  1326                      edited out based on comment                    throw new LogonException                       Unknown user name or bad password                 return false               default                  throw new LogonException                     Unexpected Logon Failure  Contact Administrator                                            return false      endregion Direct Logon Code  endregion NTLogonUser   except you ll need to create your own custom exception for  LogonException

User · Answer

We do this on our Intranet  You have to use System DirectoryServices   Here are the guts of the code  using  DirectoryEntry adsEntry   new DirectoryEntry path  strAccountId  strPassword         using  DirectorySearcher adsSearcher   new DirectorySearcher adsEntry                   adsSearcher Filter      amp  objectClass user  objectCategory person             adsSearcher Filter     sAMAccountName     strAccountId                 try                       SearchResult adsSearchResult   adsSearcher FindOne                bSucceeded   true               strAuthenticatedBy    Active Directory               strError    User has been authenticated by Active Directory                      catch  Exception ex                           Failed to authenticate  Most likely it is caused by unknown user                id or bad strPassword              strError   ex Message                    finally                       adsEntry Close

User · Answer

Unfortunately there is no  simple  way to check a users credentials on AD   With every method presented so far  you may get a false-negative  A user s creds will be valid  however AD will return false under certain circumstances    User is required to Change Password at Next Logon  User s password has expired    ActiveDirectory will not allow you to use LDAP to determine if a password is invalid due to the fact that a user must change password or if their password has expired   To determine password change or password expired  you may call Win32 LogonUser    and check the windows error code for the following 2 constants    ERROR PASSWORD MUST CHANGE   1907  ERROR PASSWORD EXPIRED   1330

User · Answer

very simple solution using DirectoryServices   using System DirectoryServices     srvr   ldap server  e g  LDAP   domain com   usr   user name   pwd   user password public bool IsAuthenticated string srvr  string usr  string pwd        bool authenticated   false       try               DirectoryEntry entry   new DirectoryEntry srvr  usr  pwd           object nativeObject   entry NativeObject          authenticated   true            catch  DirectoryServicesCOMException cex                  not authenticated  reason why is in cex           catch  Exception ex                  not authenticated due to some other exception  this is optional             return authenticated      the NativeObject access is required to detect a bad user password

User · Answer

For me both of these below worked  make sure your Domain is given with LDAP    in start    quot LDAP    quot    domainName private void btnValidate Click object sender  RoutedEventArgs e        try               DirectoryEntry de   new DirectoryEntry txtDomainName Text  txtUsername Text  txtPassword Text           DirectorySearcher dsearch   new DirectorySearcher de           SearchResult results   null           results   dsearch FindOne             MessageBox Show  quot Validation Success  quot              catch  LdapException ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot              catch  Exception ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot             private void btnValidate2 Click object sender  RoutedEventArgs e        try               LdapConnection lcon   new LdapConnection new LdapDirectoryIdentifier  string null  false  false            NetworkCredential nc   new NetworkCredential txtUsername Text                                 txtPassword Text  txtDomainName Text           lcon Credential   nc          lcon AuthType   AuthType Negotiate          lcon Bind nc            MessageBox Show  quot Validation Success  quot              catch  LdapException ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot              catch  Exception ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot

User · Answer

A full  Net solution is to use the classes from the System DirectoryServices namespace  They allow to query an AD server directly  Here is a small sample that would do this   using  DirectoryEntry entry   new DirectoryEntry          entry Username    here goes the username you want to validate       entry Password    here goes the password        DirectorySearcher searcher   new DirectorySearcher entry        searcher Filter     objectclass user         try               searcher FindOne              catch  COMException ex                if  ex ErrorCode    -2147023570                           Login or password is incorrect                       FindOne   didn t throw  the credentials are correct   This code directly connects to the AD server  using the credentials provided  If the credentials are invalid  searcher FindOne   will throw an exception  The ErrorCode is the one corresponding to the  invalid username password  COM error   You don t need to run the code as an AD user  In fact  I succesfully use it to query informations on an AD server  from a client outside the domain

User · Answer

We do this on our Intranet  You have to use System DirectoryServices   Here are the guts of the code  using  DirectoryEntry adsEntry   new DirectoryEntry path  strAccountId  strPassword         using  DirectorySearcher adsSearcher   new DirectorySearcher adsEntry                   adsSearcher Filter      amp  objectClass user  objectCategory person             adsSearcher Filter     sAMAccountName     strAccountId                 try                       SearchResult adsSearchResult   adsSearcher FindOne                bSucceeded   true               strAuthenticatedBy    Active Directory               strError    User has been authenticated by Active Directory                      catch  Exception ex                           Failed to authenticate  Most likely it is caused by unknown user                id or bad strPassword              strError   ex Message                    finally                       adsEntry Close

User · Answer

If you work on  NET 3 5 or newer  you can use the System DirectoryServices AccountManagement namespace and easily verify your credentials      create a  principal context  - e g  your domain  could be machine  too  using PrincipalContext pc   new PrincipalContext ContextType Domain   YOURDOMAIN             validate the credentials     bool isValid   pc ValidateCredentials  myuser    mypassword        It s simple  it s reliable  it s 100  C  managed code on your end - what more can you ask for   -   Read all about it here    Managing Directory Security Principals in the  NET Framework 3 5 MSDN docs on System DirectoryServices AccountManagement   Update   As outlined in this other SO question  and its answers   there is an issue with this call possibly returning True for old passwords of a user  Just be aware of this behavior and don t be too surprised if this happens  -   thanks to  MikeGledhill for pointing this out

User · Answer

Try this code  NOTE  Reported to not work on windows server 2000     region NTLogonUser  region Direct OS LogonUser Code  DllImport   advapi32 dll    private static extern bool LogonUser String lpszUsername       String lpszDomain  String lpszPassword  int dwLogonType       int dwLogonProvider  out int phToken     DllImport  Kernel32 dll    private static extern int GetLastError     public static bool LogOnXP String sDomain  String sUser  String sPassword       int token1  ret     int attmpts   0      bool LoggedOn   false      while   LoggedOn  amp  amp  attmpts  lt  2             LoggedOn  LogonUser sUser  sDomain  sPassword  3  0  out token1         if  LoggedOn  return  true         else                  switch  ret   GetLastError                           case  126                     if  attmpts    gt  2                    throw new LogonException                         Specified module could not be found  error code                             ret ToString                    break               case  1314                   throw new LogonException                     Specified module could not be found  error code                             ret ToString                  case  1326                      edited out based on comment                    throw new LogonException                       Unknown user name or bad password                 return false               default                  throw new LogonException                     Unexpected Logon Failure  Contact Administrator                                            return false      endregion Direct Logon Code  endregion NTLogonUser   except you ll need to create your own custom exception for  LogonException

User · Answer

Windows authentication can fail for various reasons  an incorrect user name or password  a locked account  an expired password  and more  To distinguish between these errors  call the LogonUser API function via P Invoke and check the error code if the function returns false   using System  using System ComponentModel  using System Runtime InteropServices   using Microsoft Win32 SafeHandles   public static class Win32Authentication       private class SafeTokenHandle   SafeHandleZeroOrMinusOneIsInvalid               private SafeTokenHandle      called by P Invoke               base true                               protected override bool ReleaseHandle                         return CloseHandle this handle                        private enum LogonType   uint               Network   3     LOGON32 LOGON NETWORK            private enum LogonProvider   uint               WinNT50   3     LOGON32 PROVIDER WINNT50             DllImport  kernel32 dll   SetLastError   true       private static extern bool CloseHandle IntPtr handle         DllImport  advapi32 dll   SetLastError   true       private static extern bool LogonUser          string userName  string domain  string password          LogonType logonType  LogonProvider logonProvider          out SafeTokenHandle token        public static void AuthenticateUser string userName  string password                string domain   null          string   parts   userName Split                if  parts Length    2                        domain   parts 0               userName   parts 1                      SafeTokenHandle token          if  LogonUser userName  domain  password  LogonType Network  LogonProvider WinNT50  out token               token Dispose            else             throw new Win32Exception       calls Marshal GetLastWin32Error             Sample usage   try       Win32Authentication AuthenticateUser  EXAMPLE  user    P ssw0rd           Or  Win32Authentication AuthenticateUser  user example com    P ssw0rd      catch  Win32Exception ex        switch  ex NativeErrorCode                case 1326     ERROR LOGON FAILURE  incorrect user name or password                             case 1327     ERROR ACCOUNT RESTRICTION                            case 1330     ERROR PASSWORD EXPIRED                            case 1331     ERROR ACCOUNT DISABLED                            case 1907     ERROR PASSWORD MUST CHANGE                            case 1909     ERROR ACCOUNT LOCKED OUT                            default     Other             break            Note  LogonUser requires a trust relationship with the domain you re validating against

User · Answer

A full  Net solution is to use the classes from the System DirectoryServices namespace  They allow to query an AD server directly  Here is a small sample that would do this   using  DirectoryEntry entry   new DirectoryEntry          entry Username    here goes the username you want to validate       entry Password    here goes the password        DirectorySearcher searcher   new DirectorySearcher entry        searcher Filter     objectclass user         try               searcher FindOne              catch  COMException ex                if  ex ErrorCode    -2147023570                           Login or password is incorrect                       FindOne   didn t throw  the credentials are correct   This code directly connects to the AD server  using the credentials provided  If the credentials are invalid  searcher FindOne   will throw an exception  The ErrorCode is the one corresponding to the  invalid username password  COM error   You don t need to run the code as an AD user  In fact  I succesfully use it to query informations on an AD server  from a client outside the domain

User · Answer

Here my complete authentication solution for your reference   First  add the following four references   using System DirectoryServices   using System DirectoryServices Protocols   using System DirectoryServices AccountManagement   using System Net    private void AuthUser              try              string Uid    USER NAME               string Pass    PASSWORD               if  Uid                                      MessageBox Show  Username cannot be null                              else if  Pass                                      MessageBox Show  Password cannot be null                              else                               LdapConnection connection   new LdapConnection  YOUR DOMAIN                    NetworkCredential credential   new NetworkCredential Uid  Pass                   connection Credential   credential                  connection Bind                        after authenticate Loading user details to data table                 PrincipalContext ctx   new PrincipalContext ContextType Domain                   UserPrincipal user   UserPrincipal FindByIdentity ctx  Uid                   DirectoryEntry up User    DirectoryEntry user GetUnderlyingObject                    DirectorySearcher deSearch   new DirectorySearcher up User                   SearchResultCollection results   deSearch FindAll                    ResultPropertyCollection rpc   results 0  Properties                  DataTable dt   new DataTable                    DataRow toInsert   dt NewRow                    dt Rows InsertAt toInsert  0                    foreach  string rp in rpc PropertyNames                                        if  rpc rp  0  ToString       System Byte                                                   dt Columns Add rp ToString    typeof System String                             foreach  DataRow row in dt Rows                                                        row rp ToString      rpc rp  0  ToString                                                                                        You can load data to grid view and see for reference only                  dataGridView1 DataSource   dt                              Error Handling part         catch  LdapException lexc                        String error   lexc ServerErrorMessage              string pp   error Substring 76  4               string ppp   pp Trim                 if   52e     ppp                                MessageBox Show  Invalid Username or password  contact ADA Team                              if   775      ppp                                MessageBox Show  User account locked  contact ADA Team                              if   525      ppp                                MessageBox Show  User not found  contact ADA Team                              if   530     ppp                                MessageBox Show  Not permitted to logon at this time  contact ADA Team                              if   531     ppp                                MessageBox Show  Not permitted to logon at this workstation  contact ADA Team                              if   532     ppp                                MessageBox Show  Password expired  contact ADA Team                              if   533      ppp                                MessageBox Show  Account disabled  contact ADA Team                              if   533      ppp                                MessageBox Show  Account disabled  contact ADA Team                                 common error handling         catch  Exception exc                        MessageBox Show  Invalid Username or password  contact ADA Team                        finally               tbUID Text                   tbPass Text

User · Answer

Here my complete authentication solution for your reference   First  add the following four references   using System DirectoryServices   using System DirectoryServices Protocols   using System DirectoryServices AccountManagement   using System Net    private void AuthUser              try              string Uid    USER NAME               string Pass    PASSWORD               if  Uid                                      MessageBox Show  Username cannot be null                              else if  Pass                                      MessageBox Show  Password cannot be null                              else                               LdapConnection connection   new LdapConnection  YOUR DOMAIN                    NetworkCredential credential   new NetworkCredential Uid  Pass                   connection Credential   credential                  connection Bind                        after authenticate Loading user details to data table                 PrincipalContext ctx   new PrincipalContext ContextType Domain                   UserPrincipal user   UserPrincipal FindByIdentity ctx  Uid                   DirectoryEntry up User    DirectoryEntry user GetUnderlyingObject                    DirectorySearcher deSearch   new DirectorySearcher up User                   SearchResultCollection results   deSearch FindAll                    ResultPropertyCollection rpc   results 0  Properties                  DataTable dt   new DataTable                    DataRow toInsert   dt NewRow                    dt Rows InsertAt toInsert  0                    foreach  string rp in rpc PropertyNames                                        if  rpc rp  0  ToString       System Byte                                                   dt Columns Add rp ToString    typeof System String                             foreach  DataRow row in dt Rows                                                        row rp ToString      rpc rp  0  ToString                                                                                        You can load data to grid view and see for reference only                  dataGridView1 DataSource   dt                              Error Handling part         catch  LdapException lexc                        String error   lexc ServerErrorMessage              string pp   error Substring 76  4               string ppp   pp Trim                 if   52e     ppp                                MessageBox Show  Invalid Username or password  contact ADA Team                              if   775      ppp                                MessageBox Show  User account locked  contact ADA Team                              if   525      ppp                                MessageBox Show  User not found  contact ADA Team                              if   530     ppp                                MessageBox Show  Not permitted to logon at this time  contact ADA Team                              if   531     ppp                                MessageBox Show  Not permitted to logon at this workstation  contact ADA Team                              if   532     ppp                                MessageBox Show  Password expired  contact ADA Team                              if   533      ppp                                MessageBox Show  Account disabled  contact ADA Team                              if   533      ppp                                MessageBox Show  Account disabled  contact ADA Team                                 common error handling         catch  Exception exc                        MessageBox Show  Invalid Username or password  contact ADA Team                        finally               tbUID Text                   tbPass Text

User · Answer

Probably easiest way is to PInvoke LogonUser Win32 API e g      http   www pinvoke net default aspx advapi32 LogonUser html   MSDN Reference here        http   msdn microsoft com en-us library aa378184 aspx   Definitely want to use logon type  LOGON32 LOGON NETWORK  3    This creates a lightweight token only - perfect for AuthN checks    other types can be used to build interactive sessions etc

User · Answer

We do this on our Intranet  You have to use System DirectoryServices   Here are the guts of the code  using  DirectoryEntry adsEntry   new DirectoryEntry path  strAccountId  strPassword         using  DirectorySearcher adsSearcher   new DirectorySearcher adsEntry                   adsSearcher Filter      amp  objectClass user  objectCategory person             adsSearcher Filter     sAMAccountName     strAccountId                 try                       SearchResult adsSearchResult   adsSearcher FindOne                bSucceeded   true               strAuthenticatedBy    Active Directory               strError    User has been authenticated by Active Directory                      catch  Exception ex                           Failed to authenticate  Most likely it is caused by unknown user                id or bad strPassword              strError   ex Message                    finally                       adsEntry Close

User · Answer

Probably easiest way is to PInvoke LogonUser Win32 API e g      http   www pinvoke net default aspx advapi32 LogonUser html   MSDN Reference here        http   msdn microsoft com en-us library aa378184 aspx   Definitely want to use logon type  LOGON32 LOGON NETWORK  3    This creates a lightweight token only - perfect for AuthN checks    other types can be used to build interactive sessions etc

User · Answer

For me both of these below worked  make sure your Domain is given with LDAP    in start    quot LDAP    quot    domainName private void btnValidate Click object sender  RoutedEventArgs e        try               DirectoryEntry de   new DirectoryEntry txtDomainName Text  txtUsername Text  txtPassword Text           DirectorySearcher dsearch   new DirectorySearcher de           SearchResult results   null           results   dsearch FindOne             MessageBox Show  quot Validation Success  quot              catch  LdapException ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot              catch  Exception ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot             private void btnValidate2 Click object sender  RoutedEventArgs e        try               LdapConnection lcon   new LdapConnection new LdapDirectoryIdentifier  string null  false  false            NetworkCredential nc   new NetworkCredential txtUsername Text                                 txtPassword Text  txtDomainName Text           lcon Credential   nc          lcon AuthType   AuthType Negotiate          lcon Bind nc            MessageBox Show  quot Validation Success  quot              catch  LdapException ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot              catch  Exception ex                MessageBox Show   quot Validation Failure   ex GetBaseException   Message  quot

User · Answer

Unfortunately there is no  simple  way to check a users credentials on AD   With every method presented so far  you may get a false-negative  A user s creds will be valid  however AD will return false under certain circumstances    User is required to Change Password at Next Logon  User s password has expired    ActiveDirectory will not allow you to use LDAP to determine if a password is invalid due to the fact that a user must change password or if their password has expired   To determine password change or password expired  you may call Win32 LogonUser    and check the windows error code for the following 2 constants    ERROR PASSWORD MUST CHANGE   1907  ERROR PASSWORD EXPIRED   1330

User · Answer

Several solutions presented here lack the ability to differentiate between a wrong user   password  and a password that needs to be changed  That can be done in the following way   using System  using System DirectoryServices Protocols  using System Net   namespace ProtocolTest       class Program               static void Main string   args                        try                               LdapConnection connection   new LdapConnection  ldap fabrikam com                    NetworkCredential credential   new NetworkCredential  user    password                    connection Credential   credential                  connection Bind                    Console WriteLine  logged in                              catch  LdapException lexc                                String error   lexc ServerErrorMessage                  Console WriteLine lexc                             catch  Exception exc                                Console WriteLine exc                                     If the users password is wrong  or the user doesn t exists  error will contain    8009030C  LdapErr  DSID-0C0904DC  comment  AcceptSecurityContext error  data 52e  v1db1     if the users password needs to be changed  it will contain    8009030C  LdapErr  DSID-0C0904DC  comment  AcceptSecurityContext error  data 773  v1db1   The lexc ServerErrorMessage data value is a hex representation of the Win32 Error Code   These are the same error codes which would be returned by otherwise invoking the Win32 LogonUser API call   The list below summarizes a range of common values with hex and decimal values   525  user not found   1317  52e  invalid credentials   1326  530  not permitted to logon at this time   1328  531  not permitted to logon at this workstation   1329  532  password expired   1330  533  account disabled   1331   701  account expired   1793  773  user must reset password  1907  775  user account locked  1909

[c#] Validate a username and password against Active Directory?

Examples related to c#

Examples related to authentication

Examples related to active-directory