tags:

views:

93

answers:

2
Q: 

Verify if password is correct

i need to verify if the password is correct for a user.

i have this code:

 private bool checkOldPasswordValid(string password, string username)
    {
        using (DirectoryEntry entry = new DirectoryEntry("WinNT://" + Environment.MachineName + ",computer"))
        {
            entry.Username = username;
            entry.Password = password;

            DirectorySearcher searcher = new DirectorySearcher(entry);

            searcher.Filter = "(objectclass=user)";
            try
            {
                searcher.FindOne();
            }
            catch (Exception ex)
            {
                return false;
            }
            return true;
        }
    }

but then directory searcher is not supported with WinNt, so i found another way to loop through all records.

 foreach (DirectoryEntry dc in entry.Children)
            {
                // prints the name
                System.Diagnostics.Debug.WriteLine(dc.Name);
            }

but this just gets the name and doesnt verify the password.

please help . thanks

+2  A: 

To autenticate against LDAP or WinNT, you need no DirectorySearcher. You only need to get the NativeObject from your DirectoryEntry instance. Here's a code sample that might guide you through the way.

public bool Authenticate(string username, string password, string domain) {
    bool authenticated = false;

    using (DirectoryEntry entry = new DirectoryEntry(@"WinNT://" + domain, username, password) {
        try {
            object nativeObject = entry.NativeObject;
            authenticated = true;
        } catch (DirectoryServicesCOMException ex) {
        }
    }

    return authenticated;
}

This code will return either a user is authentic or not. Once you can get the NativeObject property using this DirectoryEntry class instance, this means that the AD (or local computer) used impersonation to get this object. If you get the object without having a thrown exception, this means that the AD (or local computer) was able to authenticate the impersonnated user.

While you can use the currently authenticated user by specifying no username and password, but only the domain (or local computer), by specifying a username and password, you say you want to use impersonnation, so the security infrastructure will use the given username and password to try to retrieve the NativeObject property from this DirectoryEntry class instance.

To authenticate against the AD, just replace the "WinNT://" for "LDAP://".

Will Marcouiller  2010-10-14 15:38:07
what if the domain is blank sometimes.. will that be a problem?
 2010-10-14 15:52:02
The domain can be the local computer name, or the domain from your domain controller using the AD. Normally, the domain should not be blank. I have never tested a blank domain, but I suppose this would cause the `try...catch` to throw. Perhaps would it be best if unit tested, then trying every possible values for each of the parameters.
Will Marcouiller  2010-10-14 15:55:52
DirectoryEntry entry = new DirectoryEntry("WinNT://" + Environment.MachineName, Session["userName"].ToString(), password);
 2010-10-14 16:18:33
i did the above. it is verifying even when the password is wrong
 2010-10-14 16:19:46
While in ASP.NET, you need to set some settings in the configuration file, if I remember correctly, in order to tell it to use impersonnation. The link provided by Mystere Man tells about this setting you have to set to `true` or `false`. That is a bit different while using ASP.NET. This code works great in the framework security block that I have developed. Maybe the righteous solution for you is a combination of both answers, Mystere Man's and mine.
Will Marcouiller  2010-10-14 16:29:02
Besides, if this is used for an ASP.NET application, then you shouldn't consider to authenticate a local computer's user account. I don't understand that part, but you must know what you're doing, right !? =)
Will Marcouiller  2010-10-14 16:31:35
i have the user authenticated... that is not the problem..
 2010-10-14 16:39:40
Then further details are necessary if you require more help on the topic.
Will Marcouiller  2010-10-14 17:04:25
this will work for the domain.. but did not work for user without domain.. so i used logon itself... thanks a lot anyways..
 2010-10-14 17:55:32
+2  A: 

You can use DirectoryEntry itself.

See the example here: http://support.microsoft.com/kb/316748

Why are you using WinNT:// anyways?

Mystere Man  2010-10-14 15:40:13
suppose local acounts are not a part of Active Directory,.. thats why.. but im not sure.. please let me kno if you have more info on this.. thanks
 2010-10-14 15:43:23
He's using WinNT:// to authenticate against the computer itself, not the AD.
Will Marcouiller  2010-10-14 15:43:55
@user175084: When using the AD, you're not supposed to manage local accounts. Let me explain. Suppose a user authenticates himself on a local computer, then wish to access a network resource. Even though you authenticated this user as known for local computer, the AD won't let this user get whatever resource he needs if the user is unknown to the AD. That is different if you wish to manage local computer user accounts.
Will Marcouiller  2010-10-14 15:47:03
Well, it would be much simpler to use LogonUser then, would it not?
Mystere Man  2010-10-14 15:47:22
i was using log on user to log in.. and was looking for a simple way for this one..
 2010-10-14 15:50:10
@Mystere Man: I couldn't agree more! But we can be no judge of what one is doing as we don't know every aspects of the project he's working on, so this is simpler to provide solutions acconrding to what is exposed in the question asked. Besides, perhaps one wishes to impersonnate a service account through a service or an application that has to use some priviledges that the currently logged on user can't access. This is particularly true as Microsoft recommends creating service accounts for "user" that needs to work with specific sensible data, but any regular user shouldn't access.
Will Marcouiller  2010-10-14 16:01:43
@Mystere Man: This link provided doesn't use the `DirectorySearcher` class? I guess so, after having read the article. That is exactly what the op says was not possible to use for a local computer.
Will Marcouiller  2010-10-14 16:04:11

related questions

Displaying Flash content in a C# WinForms application
How to get the value of built, encoded ViewState?
Unhandled Exception Handler in .NET 1.1
How do I connect to a database and loop over a recordset in C#?
How do I most elegantly express left join with aggregate SQL as LINQ query
Get a new object instance from a Type in C#
.NET Testing Framework Advice
Automatically update version number
What is the difference between an int and an Integer in Java/C#?
How to write to Web.Config in Medium Trust ?
WinForms ComboBox data binding gotcha
How do you sort a C# dictionary by value?
Adding Scripting functionality to .NET applications
Floating Point Number parsing: Is there a Catch All algorithm?
How do I print an HTML document from a web service?
Decoding T-SQL CAST in C#/VB.net
Anatomy of a "Memory Leak"
How do I get a distinct, ordered list of names from a DataTable using Linq
Reliable Timer in a Console Application
How do I fill a DataSet or a DataTable from a LINQ query resultset ?
What's the difference between Math.Floor() and Math.Truncate() in .NET?
How do I calculate relative time?
How do I calculate someone's age in C#?
Are there any conversion tools for porting Visual J# code to C#?
When setting a form's opacity should I use a decimal or double?