Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

How to validate domain credentials without considering the Cached Domain Credential

Tags:

I want to know if there's a way to validate domain credential and make sure we don't use the Cached Domain Credential ?

I use this to validate the credential :

 bool valid = false;
 using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
 {
     valid = context.ValidateCredentials( username, password );
 }

The problem is when I change the password, the old password is still working.

EDIT : If you force the password to be reset, the cached domain credential will not be use. But between the moment we force the reset, and moment the user reset the password, the old password will still work.

like image 741
Vinc 웃 Avatar asked May 28 '14 17:05

Vinc 웃

People also ask

Are domain credentials cached?

Domain credentials are cached on a local system so that domain members can logon to the machine even if the DC is down.

How do I check domain credentials?

Go to lookup.icann.org. In the search field, enter your domain name and click Lookup. In the results page, scroll down to Registrar Information. The registrar is usually your domain host.

How do I disable cached logon credentials?

To disable credential caching by using a GPO setting, enable the “Interactive logon: number of previous logons to cache (in case domain controller is not available)” setting. This setting is located in the Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options GPO container.

How do I clear cached domain credentials?

In the control panel window, open the Credential Manager control panel. In the Credential Manager control panel, click on Windows Credentials. From there you can check/edit/delete your saved network credentials.

Video Answer

1 Answers

Question already has an answer Why does Active Directory validate last password?

Solution is to use a Kerberos authentication.

The following code shows how you can perform credential validation using only Kerberos. The authentication method at use will not fall back to NTLM in the event of failure.

private const int ERROR_LOGON_FAILURE = 0x31;

private bool ValidateCredentials(string username, string password, string domain)
{
    NetworkCredential credentials
        = new NetworkCredential(username, password, domain);

    LdapDirectoryIdentifier id = new LdapDirectoryIdentifier(domain);

    using(LdapConnection connection = new LdapConnection(id, credentials, AuthType.Kerberos))
    {
        connection.SessionOptions.Sealing = true;
        connection.SessionOptions.Signing = true;

        try
        {
            connection.Bind();
        }
        catch (LdapException lEx)
        {
            if (ERROR_LOGON_FAILURE == lEx.ErrorCode)
            {
                return false;
            }

            throw;
        }

    return true;
}
like image 191
JJS Avatar answered Oct 10 '22 07:10

JJS
Sign in to Comment

Related questions

IntelliJ Idea sbt managed source file
Uninstalling app not delete app group data .Do I have to remove app group container and it's content manually?
How do I tell visualvm where to find my source code?
Auto-vectorizing: Convincing the compiler that alias check is not necessary
How to use actors for database access and DDD?
Using Static HTML with React
What does cmdclass do in Pythons setuptools?
Including data files only in cabal test suites
ternary operator of different types
Android custom keyboard popup keyboard on long press
How to generate .ipa file from command line with watchkit app
Show color thresholds in c3.js gauge

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!