Authenticate user in Global Catalog

Question

I need to authenticate user's Windows credentials, given a userId, domain and password. Our Active Directory contains multiple domains, some which we can list using the following code:

var domains = System.DirectoryServices.ActiveDirectory.Forest.GetCurrentForest().Domains;

However, we also have users that belong to domains outside the forest. They are however accessible to me from the Global Catalog (GC). Below code allows me to get a directory entry for a userid.

System.DirectoryServices.DirectoryEntry globalCatalogDE = new System.DirectoryServices.DirectoryEntry("GC://DC=nsroot,DC=net");
var ds = new System.DirectoryServices.DirectorySearcher(globalCatalogDE);
ds.Filter = "(&(objectClass=user)(sAMAccountName=" + userId + "))";
System.DirectoryServices.DirectoryEntry userDE = ds.FindAll()[0].GetDirectoryEntry();

How do I authenticate a user that belongs to a domain I can not directly access but is available to me in the GC?

Answer 1

You can't authenticate a user by looking in the Global Catalog, it's for searching only (any attribute marked with the isMemberOfPartialAttributeSet in the schema for each domain is replicated to the GC).

Passwords are not replicated to it; otherwise you would have the passwords of all users in the entire forrest on each domain controller which would be very bad from a security and replication standpoint. You need to establish a connection to the domain where the user's credentials are stored (ie you need access to LDAP ports 389 or 636).