Home/ Questions/Q 8676421
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-06-12T20:11:30+00:00

I am looking up an arbitrary Windows account in a forms-based C# login scenario

  • 0

I am looking up an arbitrary Windows account in a forms-based C# login scenario using the user’s e-mail address as the key. Locating the user works fine and I get back my derived UserPrincipalEx fine.

However, when I try to validate a login using a Bind, it always succeeds:

// we can't use ValidateCredentials because it's too broken - multiple attempts each time,
// can't always negotiate properly, etc.
//if (!_principalContext.ValidateCredentials(userPrincipal.UserPrincipalName, password)) {
//    return LoginValidationResults.ValidationFailed;
//}
try {
    using (var directoryEntry = new DirectoryEntry("LDAP://" + _domain + "/" + _principalContext.Container,
        userPrincipal.UserPrincipalName, password, AuthenticationTypes.FastBind)) {
        var forceBind = directoryEntry.NativeObject;
        Log.DebugFormat("Validation successful ({0}).", forceBind);
        return LoginValidationResults.Valid;
    }                    
}
catch (COMException ex) {
    if (ex.ErrorCode != -2147023570) {
        Log.DebugFormat("Validation exception: {0}", ex.ToString());
        throw;
    }
    Log.Debug("Validation failed.");
    return LoginValidationResults.ValidationFailed;
}

In some cases – and I can’t figure out what they are yet – the account always binds successfully, no matter what password I give.

Why could this be?

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    So I looked into this using some packet captures and saw that all of the succeeding binds were using a blank username.

    Sure enough, the users in question had a blank (actually null – not set) UPN. This should never happen in our scenario but it did. Because it’s a broken user case, I just detect that and throw an exception.

    • 0