Geeks With Blogs

News Opinions and articles on this blog are mine alone and do not represent my employer. All articles and blog entries are posted using a personal computer system outside of my employer network.
Sam Abraham Software Engineer/Architect: Putting Customers First
One of my recent projects involved creating an authentication module compatible with both .Net 3.5 and 4.0 and supporting platforms as early as Windows 2000. In the next few lines, I will highlight our progressive thinking and the various implementations we experimented with along with a summary of shortfalls we found with each. For those reading this post, please feel free to share your thoughts in the comments section as I am looking forward to reading and learning from your ideas and input.
 
Principal Context Class
 
We found the PrincipalContext class in the System.DirectoryServices.AccountManagement very easy and intuitive to use. The following is the code snippet it took to validate user credentials with that paradigm:
 

using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "domain"))

{               

    bool isValid = pc.ValidateCredentials("userName", "password");

    if (!isValid)

    {

      Console.WriteLine("Invalid User name/password");

    }

}    

 

When testing this approach however, we found an issue when a user changes their password. Once a password is changed, both old and new user passwords were accepted as valid.  This becomes an issue if, for instance, the password was changed due to it being compromised, etc.
 
In researching this issue, we found the following forum post which advised us to force our active directory authentication over Kerberos in order to solve the password reset issue.
 
Existing customer infrastructure however varied and some did not support Kerberos authentication, hence we were not able to go ahead with this solution either.
  
 
LogonUser() and Security Service Provider Interface (SSPI)
 
Next, we went with an Interop call to LogonUser() as outlined in this article.
Our final solution however leveraged SSPI similar to the model outlined in this link.
 
Now, my question to all of you who stumble upon this blog post, know of a better way to implement this? Note that this is not for a web application, otherwise the ActiveDirectoryMembershipProvider would have conveniently done the job.
Posted on Friday, May 6, 2011 10:38 AM Fladotnet.com , Tech Talk | Back to top


Comments on this post: Authenticating Domain Users

No comments posted yet.
Your comment:
 (will show your gravatar)


Copyright © Sam Abraham | Powered by: GeeksWithBlogs.net