Validate a username and password against Active Directory?

How can I validate a username and password against Active Directory? I simply want to check if a username and password are correct.


If you work on .NET 3.5 or newer, you can use the System.DirectoryServices.AccountManagement namespace and easily verify your credentials:

// create a "principal context" - e.g. your domain (could be machine, too)
using(PrincipalContext pc = new PrincipalContext(ContextType.Domain, "YOURDOMAIN"))
{
    // validate the credentials
    bool isValid = pc.ValidateCredentials("myuser", "mypassword");
}

It's simple, it's reliable, it's 100% C# managed code on your end - what more can you ask for? :-)

Read all about it here:

  • Managing Directory Security Principals in the .NET Framework 3.5
  • MSDN docs on System.DirectoryServices.AccountManagement
  • Update:

    As outlined in this other SO question (and its answers), there is an issue with this call possibly returning True for old passwords of a user. Just be aware of this behavior and don't be too surprised if this happens :-) (thanks to @MikeGledhill for pointing this out!)


    We do this on our Intranet

    You have to use System.DirectoryServices;

    Here are the guts of the code

    using (DirectoryEntry adsEntry = new DirectoryEntry(path, strAccountId, strPassword))
    {
        using (DirectorySearcher adsSearcher = new DirectorySearcher(adsEntry))
        {
            //adsSearcher.Filter = "(&(objectClass=user)(objectCategory=person))";
            adsSearcher.Filter = "(sAMAccountName=" + strAccountId + ")";
    
            try
            {
                SearchResult adsSearchResult = adsSearcher.FindOne();
                bSucceeded = true;
    
                strAuthenticatedBy = "Active Directory";
                strError = "User has been authenticated by Active Directory.";
            }
            catch (Exception ex)
            {
                // Failed to authenticate. Most likely it is caused by unknown user
                // id or bad strPassword.
                strError = ex.Message;
            }
            finally
            {
                adsEntry.Close();
            }
        }
    }
    

    Several solutions presented here lack the ability to differentiate between a wrong user / password, and a password that needs to be changed. That can be done in the following way:

    using System;
    using System.DirectoryServices.Protocols;
    using System.Net;
    
    namespace ProtocolTest
    {
        class Program
        {
            static void Main(string[] args)
            {
                try
                {
                    LdapConnection connection = new LdapConnection("ldap.fabrikam.com");
                    NetworkCredential credential = new NetworkCredential("user", "password");
                    connection.Credential = credential;
                    connection.Bind();
                    Console.WriteLine("logged in");
                }
                catch (LdapException lexc)
                {
                    String error = lexc.ServerErrorMessage;
                    Console.WriteLine(lexc);
                }
                catch (Exception exc)
                {
                    Console.WriteLine(exc);
                }
            }
        }
    }
    

    If the users password is wrong, or the user doesn't exists, error will contain

    "8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 52e, v1db1",

    if the users password needs to be changed, it will contain

    "8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 773, v1db1"

    The lexc.ServerErrorMessage data value is a hex representation of the Win32 Error Code. These are the same error codes which would be returned by otherwise invoking the Win32 LogonUser API call. The list below summarizes a range of common values with hex and decimal values:

    525​ user not found ​(1317)
    52e​ invalid credentials ​(1326)
    530​ not permitted to logon at this time​ (1328)
    531​ not permitted to logon at this workstation​ (1329)
    532​ password expired ​(1330)
    533​ account disabled ​(1331) 
    701​ account expired ​(1793)
    773​ user must reset password (1907)
    775​ user account locked (1909)
    
    链接地址: http://www.djcxy.com/p/6124.html

    上一篇: C#获取%AppData%的路径

    下一篇: 根据Active Directory验证用户名和密码?