9

I have some code that uses the PrincipalContext object with a specific username and password passed into its constructor to bind to Active Directory.

Then a call is made .ValidateCredentials() passing in a different username and password for the user being validated.

My question is, what permission is necessary in Active Directory in order for the first user to bind in Active Directory?

JD.
  • 15,171
  • 21
  • 86
  • 159
  • 2
    To ***bind***, you just need to pass in any AuthenticatablePrinciple object that is currently active (did you know computers have passwords they log in to the domain with too? They get changed every few weeks automatically, [it can wreak havoc on you if you are working with VM's and rolling back snapshots](http://www.petri.co.il/working-with-domain-member-virtual-machines-and-snapshots.htm)), however I don't know if it requires more rights to ***validate*** credentials. (in summary: Your title is good but the body of your question is not) – Scott Chamberlain Dec 09 '13 at 23:05

2 Answers2

1

When I began working on the subject I found everything very confusing this tutorial was one of the better ones to get started with as ther are lot of acronyms which adds difficulty. https://hynek.me/articles/ldap-a-gentle-introduction/

I would reference you to a similar question on valildation but not specifically on credentials as there are several code snippets that is relevant to this type of work.

Validate a username and password against Active Directory?

What I think you are asking about is an Authentication function

I think posting my entire code can only confuse you so I will explain the structure of it and hope that gets you going and give a snippet.

The way I have done it and there are many method is the following:

public class LdapAuthentication with a method IsAuthenticated where the method is passed the domain, user name, and password

Then I use DirectoryEntry DirectorySearcher to find and filter the SAMAccountName Then it depends on your application and what you are trying to find.

But most of these are inside the System.DirectoryServices

            try
            {   //Bind to the native AdsObject to force authentication.         
                Object obj = entry.NativeObject;

                DirectorySearcher search = new DirectorySearcher(entry);

                search.Filter = "(SAMAccountName=" + username + ")";
                search.PropertiesToLoad.Add("cn");
                SearchResult result = search.FindOne();

                if (null == result)
                {
                    return false;
                }

                //Update the new path to the user in the directory.
                _path = result.Path;
                _filterAttribute = (String)result.Properties["cn"][0];
            }
            catch (Exception ex)
            {
                throw new Exception("Error authenticating user. " + ex.Message);
            }

This should give you enough to start searching and get what you need. Good luck!

Community
  • 1
  • 1
JPK
  • 1,324
  • 2
  • 14
  • 25
0

Internally the PrincipalContext.ValidateCredentials method will simply make a call to the LdapConnection.Bind method using the provided network credentials to check if they are valid or not. If the binding succeeds ValidateCredentials returns true, otherwise it returns false.

Since the LdapConnection.Bind method is decorated with the following attribute:

[DirectoryServicesPermissionAttribute(SecurityAction.LinkDemand, Unrestricted = true)]

The identity of your application (the user account who is running the process and/or currently impersonated) will have to pass this permission check in order to make the PrincipalContext.ValidateCredentials method work.

Thomas C. G. de Vilhena
  • 13,819
  • 3
  • 50
  • 44