Home/ Questions/Q 4115936
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-20T22:38:46+00:00

I have a Asp.net web site built on C# with Forms Authentication. We use

  • 0

I have a Asp.net web site built on C# with Forms Authentication. We use an Active Directory to authenticate the users, and everything works fine. But today we realized that it’s possible to login to any account by just entering the username and click Login, without supplying any password! This is only happening on the development environment running on localhost (thank god!), but I don’t like it…

I’ve never seen this behaviour before, and would really like someone to explain how this could happen. Is this a developer feature built by Microsoft? Or did someone at my office make a backdoor without telling the rest? I will investigate this last option further, but until then – have anyone encountered this before?

Big thanks in advance!

EDIT:
This is where the authentication returns true for every username I throw at it – with a blank password. Other passwords return false.

using (var context = new PrincipalContext(ContextType.Domain))
{
   result = context.ValidateCredentials(username, password);
}

PrincipalContext is the default from System.DirectoryServices.AccountManagement

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    After some more investigation I found this on MSDN which states:

    The ValidateCredentials method binds to the server specified in the constructor. If the username and password parameters are null, the credentials specified in the constructor are validated. If no credential were specified in the constructor, and the username and password parameters are null, this method validates the default credentials for the current principal.

    and together with this information in the documentation of the constructor of PrincipalContext:

    public PrincipalContext(System.DirectoryServices.AccountManagement.ContextType contextType, string name):
    contextType: A System.DirectoryServices.AccountManagement.ContextType enumeration value specifying the type of store for the principal context.
    name: The name of the domain or server for System.DirectoryServices.AccountManagement.ContextType.Domain context types, the machine name for System.DirectoryServices.AccountManagement.ContextType.Machine context types, or the name of the server and port hosting the System.DirectoryServices.AccountManagement.ContextType.ApplicationDirectory instance. If the name is null for a System.DirectoryServices.AccountManagement.ContextType.Domain context type this context is a domain controller for the domain of the user principal under which the thread is running. If the name is null for a System.DirectoryServices.AccountManagement.ContextType.Machine context type, this is the local machine name. This parameter cannot be null for System.DirectoryServices.AccountManagement.ContextType.ApplicationDirectory context types.

    This leads me to conclude that since I don’t use the name property in the constructor of the PrincipalContext, the domain controller will run under my own principal when on my dev machine. This could mean that it uses my users priveliges, which of course are much higher than the machine accounts the production servers are running as. This in turn could make all calls to Validate with nullas password automatically validate due to the higher level of privelige.

    At least, this is my theory… Comments and thoughts are welcome, I will be closing this question soon.

    • 0