4

I am building a website that let's users log in with their Active Directory accounts, and I want to inform the user why their login failed.

The Background

Logins will usually fail due to a Bad Username/Password, but they can also fail due to an Expired Password or their account being Locked Out.

I am using this code to perform the login:

public myCustomUserClass Login(string domainName, string username, string password)
{
    string domainAndUsername = domainName + @"\" + username;
    DirectoryEntry entry = new DirectoryEntry(this._ldapPath, domainAndUsername, password);
    myCustomUserClass user = new myCustomUserClass();

    //Bind to the native AdsObject to force authentication.
    try
    {
        object obj = entry.NativeObject;
        // ...
        return user;
    }
    catch (DirectoryServicesCOMException ex)
    {
        // why did the login fail?
    }
    catch (Exception ex)
    {
        // something else went wrong
    }
}

When I receive a DirectoryServicesCOMException, I can access more information about the failed login attempt within the .ExtendedErrorMessage property. Two values that I have seen so far are:

Lockout:

8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 775, v1db1

Bad Username:

8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1

You can see that the data "attribute" seems to be unique. I can write code that extracts it, then write a switch based off of this.

The Question

Is there a list of these codes anywhere that I can use to make sure that I'm covering everything?

Chris
  • 3,328
  • 1
  • 32
  • 40
  • 2
    You may want to consider that it is a bad idea to tell the user WHY their login failed. A theoretical attacker could leverage those kind of error messages to differentiate between a valid and invalid username, for example. – user700390 May 29 '15 at 14:56

1 Answers1

9

After a day of searching for Microsoft resources regarding DirectoryServicesCOMException.ExtendedErrorMessage, I found a differently-worded question here:

: [LDAP: error code 49 - 80090308: LdapErr: DSID-0C0903A9, comment: AcceptSecurityContext error, data 773, v1db1 ]

It references a website found here that includes several such codes:

http://www-01.ibm.com/support/docview.wss?uid=swg21290631

Below is a list of the error codes:

525 - user not found
52e - invalid credentials
530 - not permitted to logon at this time
531 - not permitted to logon at this workstation
532 - password expired
533 - account disabled
534 - The user has not been granted the requested logon type at this machine
701 - account expired
773 - user must reset password
775 - user account locked
Community
  • 1
  • 1
Chris
  • 3,328
  • 1
  • 32
  • 40