All geek questions in one place

Active Directory Authentication with Status / Error Code Result

Currently (we and my company) have an asp.net mvc4 page. We want to use a login page that authenticates through AD. One of the requirements is an unsuccessful attempt to return some information to the user.

The information we would like to receive will be something like this:

  • Invalid user / pw
  • The account is blocked.
  • Password Expired

This is an unfamiliar territory, so I'm not sure which .NET libraries might be available. So far I have come across System.DirectoryServices , but it seems that I will not get results outside of bool.

Is it possible? We will be grateful for any links, suggestions or examples!

+4
source share
2 answers

You can use PrincipalContext.ValidateCredentials to first verify your credentials. If false returned, use the static UserPrincipal.FindByIdentity to find your user, if one is found, see if the account is locked using IsAccountLockedOut () .

You may need to extend UserPrincipal yourself to find out if the password has expired, I do not see the direct property / method. You can expand it to directly access the userAccountControl attribute and check if bit 0x800000 , which is PasswordExpired, is set. Here is more information about userAccountControl values .

+4
source

Suppose you have code like this

 try { SearchResult result = searcher.FindOne(); } catch(Exception e) { // now what? }

Now in Exception you can deal with the LDAP exception type. Here is a list of all LDAP errors.

http://msdn.microsoft.com/en-us/library/aa746530(v=vs.85).aspx

You can determine based on the value of the ADSI error whose type you are getting.

But, according to me, you should give the user a single common error, such as invalid credentials, because the LDAP error is hard to handle.

Greetings. !!

0
source

Source: https://habr.com/ru/post/1436694/

More articles:


All Articles