Authenticate against a user in active directory?

4
votes

I do have a web application where i have a login page.How do i authenticate against the active directory users ?

As of now i am able to get some properties from the active directory,which concludes i am able to communicate with AD with LDAP string.I know its not possible to extract password from AD and authenticate against user entered password !!.

Is there a way i can authenticate against the active directory users ?

Here is my code so far

     public class Userdetails
{
    public static string ADPath = ConfigurationManager.AppSettings.Get(“ADPath”); // Get the ADAM Path from web config fiel
    public static string ADUser = ConfigurationManager.AppSettings.Get(“ADUser”); //ADAM Administrator
    public static string ADPassword = ConfigurationManager.AppSettings.Get(“ADPassword”); //ADAM Administrator  password

public static DirectoryEntry GetUserDetails(string userID)
{
        AuthenticationTypes AuthTypes;  // Authentication flags.
        // Set authentication flags.
        // For non-secure connection, use LDAP port and
        //  ADS_USE_SIGNING |
        //  ADS_USE_SEALING |
        //  ADS_SECURE_AUTHENTICATION
        // For secure connection, use SSL port and
        //  ADS_USE_SSL | ADS_SECURE_AUTHENTICATION
        AuthTypes = AuthenticationTypes.Signing |
            AuthenticationTypes.Sealing |
            AuthenticationTypes.Secure;
        DirectoryEntry De = new DirectoryEntry(ADPath, ADUser, ADPassword, AuthTypes);
    DirectorySearcher Ds = new DirectorySearcher(De);
    SearchResult Sr;
    Ds.SearchScope = SearchScope.Subtree;
    Ds.Filter = “(&(objectclass=*)(cn= ” + userID + “))”;
    Sr = Ds.FindOne();
    if (!(Sr == null))
    {
        De = new DirectoryEntry(Sr.Path, ADUser, ADPassword, AuthTypes);
        return De;
    }
    else
    {
        return null;
    }
}
3
c#asp.netactive-directory
An Active Directory server will be able to receive username and password and tell you if it's the correct password or not, without enabling reversible passwords. So it should be possible.jishi
What version of C# are you using?chilltemp
Then only use DirectoryEntry/DirectorySearcher as a last resort. Use the config based option from Wiktor or Brian's code. Both are much easier to use.chilltemp
Possible duplicate or related - stackoverflow.com/questions/2538064/…John Alexiou

3 Answers

2
votes

If you are going to only authenticate against the AD and do not have to perform other AD-specific operations, why don't you stick with the built-in ActiveDirectoryMembershipProvider instead of writing a custom code?

Please take a look:

http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx

7
votes

http://msdn.microsoft.com/en-us/library/bb299745.aspx

http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.aspx

http://msdn.microsoft.com/en-us/magazine/cc135979.aspx

    public bool Validate(string username, string password)
    {

        //ex PrincipalContext principalContext = new PrincipalContext(ContextType.ApplicationDirectory,"sea-dc-02.fabrikam.com:50001","ou=ADAM Users,o=microsoft,c=us",ContextOptions.SecureSocketLayer | ContextOptions.SimpleBind,"CN=administrator,OU=ADAM Users,O=Microsoft,C=US","P@55w0rd0987");

        try
        {
            using (PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container, ContextOptions.Negotiate))
            {
                return principalContext.ValidateCredentials(username, password);
            }
        }
        catch (PrincipalServerDownException)
        {
            Debug.WriteLine("PrimaryServer={0};Container={1}", Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container);
            Debug.WriteLine("LDAP://{0}/{1}", Configuration.Config.ActiveDirectory.PrimaryServer, Configuration.Config.ActiveDirectory.Container);
            throw;
        }
1
votes

Creating a new DirectoryEntry with a password and using it with a DirectorySearcher will validate the password and throw a exception if it fails. An important exception to this is empty/null passwords. Most LDAP servers (I think that AD is included) will ignore the password parameter if it is null or empty. So you should test for that first.

Old MSDN sample