1

I'm trying to validate an AD user using the following code:

using (var de = new DirectoryEntry($"LDAP://{domainTxt.Text}", usernameTxt.Text, passwordTxt.Text))
{
    var nO = de.NativeObject; //verify credentials
}

When calling de.NativeObject and the password is incorrect the bad password attempt count increases by 2 instead of 1.

Using this powershell script to check the count:

C:\Users\administrator> Get-ADUser -Filter {userprincipalname -eq "x@y.z"} -Properties badPwdCount

I found out that the reason for this is that DirectoryEntry uses AuthenticationTypes.Secure by default, which is fair enough, that's what I need actually, if I change it to anything else, the bad password count increases by one as expected.

Does anyone know how can I get around this issue?

Igor Meszaros
  • 2,081
  • 2
  • 22
  • 46

1 Answers1

1

I don't know for sure why, but the documentation for AuthenticationTypes.Secure says:

Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client.

That could mean that when one method fails for whatever reason, it tries again with the other. You might be able to see this by monitoring network traffic with something like Wireshark.

A way to work around this might be to use LdapConnection to validate the credentials (if that's all you need the connection to LDAP for). There's a good example of that in another answer here. It has the added benefit of telling you why the validation failed.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Thank you for your answer. Unfortunately my problem with this solution is, that as far as I can tell LdapConnection is not secure unless I use SSL, which I could also do with DirectoryEntry (and it wouldn't increase the bad password count by 2). Using SSL certificate might not be viable for me in all cases. – Igor Meszaros Oct 08 '19 at 10:40
  • You can specify the [`AuthType`](https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapconnection.authtype?view=netframework-4.8) with `LdapConnection`, just like you can with `DirectoryEntry`, but with the added benefit that you can choose Kerberos *or* NTLM specifically (both of which do not send plain-text passwords), without having it automatically failover to the other if you don't want it to. – Gabriel Luci Oct 08 '19 at 12:17
  • Unfortunatelly if I use AutType.Negotiate I have the same issue, so it seems like having to set it to Kerberos will have to do. Thanks. – Igor Meszaros Oct 09 '19 at 09:12