none
Does PrincipalContext.ValidateCredentials send credentials in cleartext or not? RRS feed

  • Question

  • I'm using the call ValidateCredentials(userUsername, userPassword) in a web application to validate credentials against Active Directory. This is on a web server in a private network that communicates with an AD server on the same network. However, the client is still very concerned about how these credentials are being transported (I guess he's worried about someone sniffing traffic from within the network). I attempted to use the LDAPS context option for the aformentioned PrincipalContext method, but I'm running into errors (such as "the server cannot handle directory requests").

    So, my question was this: in the absence of LDAPS, is the password being sent in cleartext? I spent some time capturing traffic via Wireshark and couldn't find any evidence that the password was in cleartext. After doing some research, it seems like the validation takes place via GSS-API and SASL. If so, the password would NOT be sent in cleartext, right? I can't find a definitive answer on the matter and I'm trying to assuage the client's concerns that even if LDAPS isn't used, there are still some protections in place.


    • Edited by Alex98395 Friday, March 11, 2016 4:26 PM
    Friday, March 11, 2016 4:25 PM

Answers

All replies

  • Hi  Alex, 

    As far as I know Active Directory is built on top of LDAP protocol. It is an implementation of LDAP. So I don't understand what is " in the absence of LDAPS".

     Active Directory is using windows authentication to validate users. And windows authentication support NTLM and Kerber’s authentication. None of them will transfer user info in cleartext.

    Here's some detailed information about them

    https://msdn.microsoft.com/en-us/library/windows/desktop/bb931352(v=vs.85).aspx

    Hope this helps!

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Monday, March 14, 2016 12:03 PM
  • Thanks, Kristin. However, that's honestly not very helpful.

    This is not an account login using the operating system, so to my knowledge, neither NTLM nor Kerberos are employed. This is a programmatic validation of AD credentials.

    By default, the PrincipalContext.ValidateCredentials call uses port 389, which is unsecured LDAP, as opposed to port 636, which is used for LDAP over SSL. That's what I meant by "in the absence of LDAPS."

    I'm trying to determine if cleartext is used for the password, even when communication takes place via port 389.

    Monday, March 14, 2016 2:54 PM
  • Hi Alex,

    Sorry for my late reply.

    Please refer to this article: https://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.contextoptions(v=vs.110).aspx

    I also suggest you use PrincipalContext.ValidateCredentials Method (String, String, ContextOptions) instead.

    Please pay attention to here, which means all the content is encrypted by default.

    In Remarks section:

    When the context options are not specified by the application, the Account Management API uses the following combination of options:

    • ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.






    Thursday, March 17, 2016 3:35 AM
  • Thanks, Kristin. The default context options you specified do indeed suggest that encryption is taking place regardless of LDAP vs LDAPS.
    Thursday, March 17, 2016 4:00 PM
  • Thanks, Kristin. The default context options you specified do indeed suggest that encryption is taking place regardless of LDAP vs LDAPS.

    @Alex,

    Yes, that's what I mean.

    Now please remember to close this issue by marking helpful reply as an answer, if you have another issue, please feel free to reopen a new thread in this forum. Thanks for your cooperation and support.

    Best regards,

    Kristin


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, March 18, 2016 1:22 AM