Custom Multi-factor Active Directory Authentication

Question

I'll start off by saying that I have no idea if what I want can actually be done. If that's the case, do not hesitate to tell me that I'm dreaming.

I want to create a custom active directory "authenticator" in C#. By that, I mean, I would like that whenever someone logs in, their password stored in the AD is checked first, and then a second step of authentication is performed. Only if both steps pass does the user get to log in.

Now, I imagine the above isn't too far fetched, providing I wanted to integrate this authenticator into a custom product, right?. Am I totally insane for also wondering if this authenticator can be used when, say, logging into Windows itself? Or perhaps a pre-existing product which authenticates against the AD?

If I'm not dreaming, would anyone also know of any good articles/APIs to get me going? The APIs don't have to be free, as I'm willing to part with some cash to get things moving faster.

Is Microsoft Active Directory the only directory service you plan on integrating with? — X3074861X, Apr 16 '13 at 13:48
It's the only one that has been mentioned to me so far, so I'm going to say yes. — Paul McLean, Apr 16 '13 at 22:58

score 2 · Accepted Answer · edited May 23 '17 at 12:04

This is entirely feasible. However I'd like to note that, when issuing a server bind to Active Directory, you're checking the provided username (usually the sAMAccountName) and the password entered in one action. There are a few ways of doing this in C#, but many folks (including myself) have opted to use the System.DirectoryServices and System.DirectoryServices.Protocols namespace.

This is how I currently bind users to Active Directory, which then based on the result of this method, I either display the reason for authorization failure, or I allow them to continue on to their account within the application.

//Define your connection
LdapConnection ldapConnection = new LdapConnection("123.456.789.10:389");

try
{
      //Authenticate the username and password
      using (ldapConnection)
      {
          //Pass in the network creds, and the domain.
          var networkCredential = new NetworkCredential(Username, Password, Domain);
          //Since we're using unsecured port 389, set to false. If using port 636 over SSL, set this to true.
          ldapConnection.SessionOptions.SecureSocketLayer = false;
          ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
          //To force NTLM\Kerberos use AuthType.Negotiate, for non-TLS and unsecured, use AuthType.Basic
          ldapConnection.AuthType = AuthType.Basic;
          ldapConnection.Bind(networkCredential);
      }
      catch (LdapException ldapException)
      {
          //Authentication failed, exception will dictate why
      }
}

If you'd like to go a step further and retrieve properties about this user as well, check out this thread here.

Also, I highly recommend Softerra's LDAP Browser for testing anything LDAP related - it is a wonderful product, and it's free. You can download it from here.

Hopefully that gets you going in the right direction.

Custom Multi-factor Active Directory Authentication

1 Answers1

Linked