20

I want to know if there's a way to validate domain credential and make sure we don't use the Cached Domain Credential ?

I use this to validate the credential :

 bool valid = false;
 using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
 {
     valid = context.ValidateCredentials( username, password );
 }

The problem is when I change the password, the old password is still working.

EDIT : If you force the password to be reset, the cached domain credential will not be use. But between the moment we force the reset, and moment the user reset the password, the old password will still work.

Vinc 웃
  • 1,187
  • 4
  • 25
  • 64

2 Answers2

5

Question already has an answer Why does Active Directory validate last password?

Solution is to use a Kerberos authentication.

The following code shows how you can perform credential validation using only Kerberos. The authentication method at use will not fall back to NTLM in the event of failure.

private const int ERROR_LOGON_FAILURE = 0x31;

private bool ValidateCredentials(string username, string password, string domain)
{
    NetworkCredential credentials
        = new NetworkCredential(username, password, domain);

    LdapDirectoryIdentifier id = new LdapDirectoryIdentifier(domain);

    using(LdapConnection connection = new LdapConnection(id, credentials, AuthType.Kerberos))
    {
        connection.SessionOptions.Sealing = true;
        connection.SessionOptions.Signing = true;

        try
        {
            connection.Bind();
        }
        catch (LdapException lEx)
        {
            if (ERROR_LOGON_FAILURE == lEx.ErrorCode)
            {
                return false;
            }

            throw;
        }

    return true;
}
Community
  • 1
  • 1
JJS
  • 6,431
  • 1
  • 54
  • 70
2

you might try something like this

try
{
    using (var directoryEntry = new DirectoryEntry(ldapPath, userName, password))
    {
        var invocation = directoryEntry.NativeObject;
        return true;
    }
 }
 catch (Exception ex)
 {
     return false;
 }
Miniver Cheevy
  • 1,667
  • 2
  • 14
  • 20
  • could you use a combination of that and a separate check to see if the "user must change password on next login"? Until they change the password the old password is still their password. The must change password is a little convoluted as detailed here http://webactivedirectory.com/active-directory/check-user-must-change-password-at-next-logon-flag-in-active-directory/ – Miniver Cheevy Apr 28 '15 at 16:06