2

I have a program in which a user base is held in Active Directory. It uses ADFS as the go-between from the AD and my program. I use a C# Security Token to get a valid token from ADFS once a person attempts to log in.

If the login attempt fails for ANY reason, I receive an error 3242.

{"ID3242: The security token could not be authenticated or authorized."}

This happens when I enter a bad username, or a bad password, or the password has expired in Active Directory.

If a user fails to log in, I want to be able to give them a better error message as to WHY they weren't able to. It would be ideal to tell them that their password is expired (if it is), and perhaps provide instructions on how to reset it, and etc.

So my question to you all is this: While Using a C# SecurityToken Object, how can I provide a user with better error messages upon a log in fail?

I am very new to these concepts, so I apologize in advance for skimpy details. This post is me putting my feelers out to see if anyone can point me in a good direction. Thank you in advance for your time and responses.

mherr
  • 348
  • 1
  • 7
  • 25

2 Answers2

1

You cannot get the error message behavior itself to be any different. However, you could catch the exception and query AD to dermine if the user exists, if the account is disabled, and if the account is expired, then wrap the original exception in a new exception that gives the additional details and throw that. However, it's also usually not a good idea to provide information on whether or not it was the username or password that was bad, etc. because an attacker could use this to gain useful information about your system. It is for that reason that the error message does not return such information in the first place. An admin can always check the account when a user reports a problem.

JamieSee
  • 12,696
  • 2
  • 31
  • 47
  • Thanks very much for your response! You have good points, and good ideas! Lets say that I just wanted to see if an account was expired, do you know of any C# libraries that would enable me to query such a thing? – mherr Jul 17 '12 at 19:26
  • System.DirectoryServices Namespace seems to be a place people start with this sort of task. – mherr Jul 17 '12 at 19:44
  • See http://stackoverflow.com/questions/1394025/active-directory-ldap-check-account-locked-out-password-expired. – JamieSee Jul 17 '12 at 20:27
  • Thank you for your continued response :) I may end up not being able to query AD from my program for security reasons, but I appreciate your help and time. – mherr Jul 18 '12 at 14:07
1

Your questions asks about "expired password" whereas your comment refers to "expired account". They are very different beasts!

Expired password - ms-DS-User-Account-Control-Computed attribute

Expired account:

principalContext = GetPrincipalContext(ldapOU);
userPrincipal = new UserPrincipal(principalContext);
DateTime date = userPrincipal.AccountExpirationDate;

will give you the date and then simply compare.

rbrayb
  • 46,440
  • 34
  • 114
  • 174
  • You are right, that is just an example of my unfamiliarity with this domain thus far :) Thank you for your response! What I did mean however, was expired passwords. I am going to research your suggestions! – mherr Jul 18 '12 at 13:47
  • ms-DS-User-Account-Control-Computed attribute - Is this something that is accessible from C#? I see that there are return values such as UF_PASSWORD_EXPIRED, but where would this result be present? – mherr Jul 18 '12 at 14:30
  • Indeed it is. Page down to the bottom of the article and there's a code snippet. The snippet shows UF_LOCKOUT but you just need to substitute UF_PASSWORD_EXPIRED. – rbrayb Jul 18 '12 at 19:35
  • Thank you for your response! I will have to investigate the snippet tomorrow :) – mherr Jul 18 '12 at 20:57
  • It turns out that I am not able to use these concepts due to programming concepts/security problems. However, I will mark this one as the answer. Most of my research has pointed towards code snippets of this nature, even if they weren't using these objects specifically. – mherr Jul 23 '12 at 13:38