Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Active directory authentication

I'm using the code below to authenticate a user in Active Directory, but the password is sending in clear text. How can I hash my password and then send it to Active Directory?

DirectoryEntry entry = new DirectoryEntry(path, username, pwd);
try
{
   //Bind to the native AdsObject to force authentication.
   object obj = entry.NativeObject;

   DirectorySearcher search = new DirectorySearcher(entry);

   search.Filter = "(SAMAccountName=" + username + ")";
   search.PropertiesToLoad.Add("cn");
   SearchResult result = search.FindOne();

   if (null == result)
   {
      return false;
   }

   //Update the new path to the user in the directory.
   _path = result.Path;
   _filterAttribute = (string)result.Properties["cn"][0];
}
catch (Exception ex)
{
   throw new Exception("Error authenticating user. " + ex.Message);
}

return true;
like image 953
Raymond Morphy Avatar asked Feb 12 '11 06:02

Raymond Morphy


People also ask

Is Active Directory authorization or authentication?

What is Active Directory Authentication and Authorization? Active Directory is a directory service implemented by Microsoft for Windows domain networks. An Active Directory domain controller authenticates and authorizes users in a Windows-domain network by enforcing security policies for all computers.

Does Active Directory use LDAP or Kerberos?

Does Active Directory use LDAP or Kerberos? Active Directory supports both LDAP and Kerberos for authentication, and more often than not, these two protocols are used together. Kerberos is the default authentication and authorisation protocol used by Active Directory as it is more secure.

What is the Active Directory primary method for authentication?

In Azure AD, a password is often one of the primary authentication methods. You can't disable the password authentication method.


1 Answers

If you are using .NET 3.5, then I'd strongly recommend switching to using the System.DirectoryServices.AccountManagement namespace (read all about it: Managing Directory Security Principals in the .NET Framework 3.5).

Lots of things are a lot easier in S.DS.AM - like authenticating users:

PrincipalContext ctx = new PrincipalContext(ContextType.Domain);
ctx.ValidateCredentials("test", "test", ContextOptions.SecureSocketLayer);

The only way to do this securely is by specifying the ContextOptions.SecureSocketLayer option to enforce using an SSL protected connection.

If you cannot move to .NET 3.5 and S.DS.AM, you need to check out the AuthenticationTypes that you can define in the fourth overloaded constructor of DirectoryEntry:

DirectoryEntry entry = 
     new DirectoryEntry(path, username, pwd, 
                        AuthenticationTypes.SecureSocketsLayer);

There's no other way to do this, I'm afraid - I don't think there's any way for you on the client-side to hash a password the same way Windwos Server / Active Directory do it, and pass in that hashed value...

like image 112
marc_s Avatar answered Oct 17 '22 01:10

marc_s