tags:

views:

227

answers:

1
Q: 

how to tell why integrated windows authentication fails in asp.net

In our asp.net intranet application we are using windows authentication to authenticate the users.

We have recently had a request to give the user a reason for why they cannot login. For example, tell the user they can't login because their password has expired vs they can't login because their account is locked out.

When an account is locked out or the password has expired, the user cannot log on to the application. IIS will deny the access and redirect the user to the Access Denied (401) page after 3 login attempts. As the username is not passed to web application when IIS authentication fails, we won’t be able to check if the account is locked out or the password has expired.

Any suggestions on how to get this information? Are we going to have to move to Forms authentication with an AD provider?

+2  A: 

The simple solution to this is to move to forms authentication. But being that I know you did not want to hear that and it is not allowed or a viable solution your next option is to:

Look into System.DirectoryServices

Below I'm just pasting some quick code you can play with. Notice how to determine if a user is locked out or not. This is vb.net but can be easily changed to C#.

  Try
            Dim dirEntry As DirectoryEntry
                     dirEntry = New DirectoryEntry("LDAP://yourDomainInfoHere/OU=Users,OU=YourDomain,OU=YourOU,OU=CORP,DC=YourDC,DC=com", "ExecuateAsUser", "Password")

            Dim entries As DirectoryEntries = dirEntry.Children
            ' Set login name and full name. 
            Dim newUser As DirectoryEntry = entries.Add("CN=JONNY BOY", "User")

            newUser.Properties("sAMAccountName").Add("jboy")
            newUser.CommitChanges()
            newUser.Invoke("SetPassword", "hi2343145gfdtgwdt")
            Dim flags As Integer

            flags = CInt(newUser.Properties("userAccountControl").Value)

            'enable user below
            newUser.Properties("userAccountControl").Value = flags And Not &H2

            'disable user below
            newUser.Properties("userAccountControl").Value = flags Or &H1


            'lockout property
            Dim l As Long
            l = CType(newUser.Properties("lockoutTime").Value, Long)

            If l <> 0 Then
                'account is locked out

                'so how do we unlock it?
                'we unlock it by setting it to 0
                newUser.Properties("lockoutTime").Value = 0
            Else
                'account is 0 it is NOT locked out

            End If

            newUser.CommitChanges()

            Dim j As DirectoryEntry = entries.Find("CN=JONNY BOY", "User")
            j.Properties("mail").Value = "[email protected]"
            j.CommitChanges()
        Catch ex As Exception
            Throw ex
        End Try
JonH  2010-01-04 19:43:10
as you indicate, the only real solution is to change the authentication from windows to forms and implement our own login page and authentication methods.we ended up creating a 'troubleshooting page' where a user who fails authentication can re-enter their username/password. we then take that username and make AD queries to determine the reason for the authentication failure.it involves multiple entries of credentials but it meets the busienss requirements (and budget) so everyone is happy.
yamspog  2010-01-21 17:27:22
Good I am glad you got it working happy for you. Thanks for the accepted answer also!
JonH  2010-01-21 17:29:12

related questions

Querying Active Directory with "SQL"?
Can I get more than 1000 records from a DirectorySearcher in Asp.Net?
How to get AD User Groups for user in Asp.Net?
Attempting to update a user's "connect to:" home directory path in AD using C#
Monitoring group membership in Active Directory more efficiently (C# .NET)
How do I speed up data retrieval from .NET AD within ColdFusion
How do you authenticate against an Active Directory server using Spring Security?
Managing large user databases for single-signon.
Move Active Directory Group to Another OU using Powershell
How to move SharePoint sites from one active directory domain to another?
When did I last talk to my Domain Server?
Using ActiveDirectoryMembershipProvider with two domain controllers
I am having trouble getting phpBB to authenticate with our Active Directory
How do I use ADAM to run unit tests?
COMException "Library not registered." while using System.DirectoryServices
Caching Active Directory Data
Windows / Active Directory - User / Groups
Get a list of available domains (NT4 and Active Directory)
How do I use NTLM authentication with Active Directory
I/O permission settings using .net installer
quoting System.DirectoryServices.ResultPropertyCollection
How do you impersonate an Active Directory user in Powershell?
Setting Group Type for new Active Directory Entry in VB.NET
Is there a way for MS Access to grab the current Active Directory user?
Checklist for IIS 6/ASP.NET Windows Authentication?