Validating domain user credentials

Question

I need a way to validate a user/password pair for native c++ on windows. Input is user and password, user can be in DOMAIN\user format.

Basically I need to write a function that: If user/password is a valid local account, returns true. (part 1) If user/password is valid on the domain given, return true also. (part 2) else return false.

Using KB180548 I solved (part 1) (but I had to also check if the user name is a valid user, because fails for users with blank passwords - ugly workaround but it works)

However for any domain besides ".", the above KB sample code works(incorrectly) for any user/pass pair.

I've tried using ldap_bind_s, but it succeeds for incorrect user/pass pairs(the dreaded Guest account?). Also, for the "." domain, it fails for valid user/passwords with LDAP_SERVER_DOWN (maybe because the local host is not a domain controller?)

Maybe some of these notions are unclear to me. I hope at least my problem is explained clearly. I'm not stuck on any method, as log as it can be implemented just in C++ native code.

This question C#: How to validate domain credentials? seems to have it figured it out (except there is no accepted answer). Alas, it is in C#.

Edit: Come on, Stack Overflow, you've never let me down before...

Answer 1

An old peace of code, I'am not able to test, so given As is :

//---------------------------------------------------------
// quick ADSI sample - binding to a user 
//---------------------------------------------------------

//---------------------------------------------------------
// should use unicode - saves a lot of conversion work
//---------------------------------------------------------
#define _UNICODE

//---------------------------------------------------------
// libraries needed to use ADSI
//---------------------------------------------------------
#pragma comment( lib, "Activeds.lib" )
#pragma comment( lib, "Adsiid.lib" )

//---------------------------------------------------------
// ADSI header
//---------------------------------------------------------
#include <activeds.h>

int wmain( int argc, wchar_t *argv[] )
{
  //-----------------------------------------------------
  // HRESULT hr is the return code value from all ADSI
  // calls - using the SUCCEEDED MACRO to check for 
  // success
  //-----------------------------------------------------
  HRESULT hr;

  //-----------------------------------------------------
  // pointer to our IADsUser object
  //-----------------------------------------------------
  IADsUser *pUser = NULL;

  //-----------------------------------------------------
  // path to the user we are going to try to update
  // make sure you replace this with something
  // specific to your environment
  // Form : WinNT://<domain name>/<object name>,<object class>
  //-----------------------------------------------------
  LPWSTR pszADsPath = L"WinNT://yourdomain/object name,user";
  // 
  // See available forms :
  // http://msdn.microsoft.com/en-us/library/aa746534(v=VS.85).aspx

  //-----------------------------------------------------
  // intialize the COM subsystem before doing any work
  //-----------------------------------------------------
  CoInitialize(NULL);

  //-----------------------------------------------------
  // try to get the user
  // http://msdn.microsoft.com/en-us/library/aa772184(v=VS.85).aspx
  //-----------------------------------------------------
  hr = ADsGetObject(pszADsPath, IID_IADsUser,(void**)&pUser);

  // Here Test hr
  //http://msdn.microsoft.com/en-us/library/aa772195(v=VS.85).aspx

  //-----------------------------------------------------
  // kill the COM subsystem we were using
  //-----------------------------------------------------
  CoUninitialize();

  return 0;
}

Answer 2

If you mean by the "." domain, domains that aren't "trusted" w/ the domain running the code from fail, then that is by design.

Several years ago Microsoft best answer to this when we used a support ticket was to use WNetUseConnection() .