C# Validate User against the MS Active Directory Server using System.DirectoryServices.Protocols

0
votes

I want to authenticate User against the MS Active Directory Server.

As there is two namespaces available for doing that I want to go with System.DirectoryServices.Protocols.

Current I am validating the User using following code

var valid = false;

var credentials = new NetworkCredential("user01", "password01");
var serverId = new LdapDirectoryIdentifier("192.168.1.21:389");

var conn = new LdapConnection(serverId, credentials);

try
{
    conn.Bind();
    valid = true;
}
catch
{
}

Above code is validating User correctly but It is also validating against the Old Password.

How Can I get rid this?

I have checked following Questions

Validate a username and password against Active Directory?

Why does Active Directory validate last password?

1
c#active-directory

1 Answers

1
votes

The highest voted answer in the second question you linked to has everything you need to know. The only way an old password is ever allowed is if NTLM is the authentication mechanism used. If you want to prevent that, you have to tell it to only use Kerberos and not NTLM:

var conn = new LdapConnection(serverId, credentials, AuthType.Kerberos);

I saw your comment on that answer, saying that with that, all authentication fails, even with the right password. That just means that Kerberos authentication isn't working. That's a whole other troubleshooting mess. If the server you are running this on is joined to the same (or trusted) domain as the user you are authenticating, then there really is no reason Kerberos shouldn't work. But if the server is outside of the domain, it can be troublesome to set up Kerberos.

Here's some reading on that:

Or you might decide to just ignore this and let it use NTLM. It only allows an old password for 1 hour after the change anyway.