0

I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.

I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.

I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.

So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.

Rahees
  • 3
  • 1
  • 3
  • I don't understand what you're trying to do here... why should the WCF service have to deal with this? The number of invalid password attempts against Active Directory that will cause a lockout is solely the responsibility of Active Directory itself, and is configured there. No matter which way you attempt to authenticate - after a given number of attempts with a wrong password, the account should be locked out. – marc_s Jun 16 '12 at 15:19

2 Answers2

1

I have not seen your code. So I'm guessing you have similar solution that is implemented in this example, have a look at this link

In above example, please have look at line

DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);

this entry object would be used for authentication when you make a search call on active directory.

If you are using user/password that you want to authenticate then you need not to worry about locking it by your code. Active directory policy would be enough.

But after reading your comment I guess you have one specific user that you use to search mobile application users to check if they exist in your active directory or not. If this is the case effectively you are never authenticating against mobile users so those users never going to be blocked automatically.

I would be interested to know your answer.

Darshana
  • 2,462
  • 6
  • 28
  • 54
Balpreet Patil
  • 1,644
  • 2
  • 16
  • 16
0

There are basically two ways of doing this:

  • You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
  • Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired

Edit

After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.

The code you linked to had this line

object obj = entry.NativeObject

Which was to force authentication. Have you included this line?

Community
  • 1
  • 1
Shiraz Bhaiji
  • 64,065
  • 34
  • 143
  • 252