1

[ There are a number of related posts, but none seem to explain what is going on ]

I am finding strange behavior with PrincipalContext.ValidateCredentials The basic question is "what should the username be?"

  • user@domain (user principal name)
  • domain\user (down level name)
  • user (samAccountName)

For a while I was using the UserPrincipalName. Then I discovered that if the user has a UPN suffix (user@xyz.com where xyz.com is a UPN suffix in the domain), that ValidateCredentials failed.

Since I had a UserPrincipal, I just changed the code to pass in the SamAccountName. The SamAccoundName is globally unique in the domain, so this worked fine regardless of the UserPrincipalName.

But now, I see that if the ContextOptions.SimpleBind is used, the use of the SamAccountName no longer works.

According the the documentation of the function: The userName argument must take the form username (for example, mcampbell) rather than domain\username or username@domain.

Can anyone explain this behavior? What is really the "correct" way to validate a user/password given a UserPrincipal and a password?

Kiquenet
  • 14,494
  • 35
  • 148
  • 243
mlg
  • 101
  • 2
  • 8
  • 1
    I should point out that the issue with passing in a UPN name only occurs when the process calling ValidateCredentials is running as a service on a machine in a different domain than the user. So if I pass in a PrincipalName and am not running as 'local system' ... it is fine. – mlg Mar 15 '18 at 13:16
  • Possible duplicate of [Validate a username and password against Active Directory?](https://stackoverflow.com/questions/290548/validate-a-username-and-password-against-active-directory) – Am_I_Helpful Mar 16 '18 at 15:42

0 Answers0