none
Wrong Lockout Policy Count When Using PrincipalContext.ValidateCredentials RRS feed

  • Question

  • I'm developing a .NET application that integrates with Active Directory that needs to validate credentials for the user logging in.  Everything works fine, however the count of invalid password attempts is different when a user enters: MyDomain\UserName vs UserName@MyDomain

    If my group policy has the account lockout threshold set to 4 invalid attempts, and if the user enters his or her user name as MyDomain\UserName and 4 invalid passwords, then they will get 4 attempts before locking them out which is correct.  If they enter their user name as UserName@MyDomain 2 times, they will get locked out. 

    If my group policy has the account lockout threshold set to 6 invalid attempts, and if the user enters his or her user name as MyDomain\UserName and 6 invalid passwords, then they will get 6 attempts before locking them out which is correct.  If they enter their user name as UserName@MyDomain 3 times, they will get locked out.  etc...

    So it's always dividing by 2.  Below is a screen shot of my application and my code:

      private void Button1_Click(System.Object sender, System.EventArgs e)
        {
    	bool bUserLocked = false;
    	if (this.IsUserAccountLockedOut(this.txtUserName.Text, ref bUserLocked) == true) {
    		if (bUserLocked == false) {
    			if (this.IsUserValid(this.txtUserName.Text, this.txtPassword.Text) == true) {
    				this.TextBox1.AppendText("Success With Password: " + this.txtPassword.Text + System.Environment.NewLine);
    			} else {
    				this.TextBox1.AppendText("Failed Login With Password: " + this.txtPassword.Text + System.Environment.NewLine);
    			}
    		} else {
    			this.TextBox1.AppendText("User Account Locked Out" + System.Environment.NewLine);
    		}
    	} else {
    		System.Windows.Forms.MessageBox.Show("Error");
      	}
        }
    
        public bool IsUserAccountLockedOut(string sUserName, ref bool bUserLocked)
        {
    	//First, create a new return variable
    	bool bReturn = true;
    
    	//Default the user locked out flag
    	bUserLocked = true;
    
    	try {
    		//Next, create the domain principal context object
    		using (System.DirectoryServices.AccountManagement.PrincipalContext ctx = new System.DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain)) {
    			//Next, create the user, attempt to find the user by the user name
    			System.DirectoryServices.AccountManagement.UserPrincipal usr = System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(ctx, sUserName);
    
    			//Next, check if the user was found
    			if ((usr != null)) {
    				//User found, check if the account is locked out or not
    				bUserLocked = usr.IsAccountLockedOut;
    
    				//Success, return true
    				bReturn = true;
    			} else {
    				//User not found, so return false
    				bReturn = false;
    			}
    		}
    	} catch (Exception ex) {
    		//Error, just return false and log 
    		bReturn = false;
    	}
    
    	//Finally, return the return variable
    	return bReturn;
        }
    
        public bool IsUserValid(string sUserName, string sPassword)
        {
    	//First, create a new return variable
    	bool bReturn = true;
    
    	//Next, create a new context for the domain
    	using (System.DirectoryServices.AccountManagement.PrincipalContext ctx = new System.DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain)) {
    		//Next, attempt to validate the credentials
    		bReturn = ctx.ValidateCredentials(sUserName, sPassword);
    	}
    
    	//Finally, return the return variable
    	return bReturn;
        }
    

    Friday, June 8, 2012 5:59 PM

Answers

  • It sounds that bad password count increase by 2 if you use UPN format (Domain@sAMAccountName), however, the count increase 1 every time if you use sAMAccountName format (Domain\sAMAccountName).

    This issue was seen before, the root cause is similar to the description of http://support.microsoft.com/kb/264678/EN-US/:

    When the client tries to authenticate the user with a resource, Windows 2000 first uses the Kerberos authentication method. If the Kerberos attempt does not succeed, the client then tries the Windows NT challenge/response (NTLM) authentication protocol. Each of these methods presents the user's credentials for authentication purposes. Therefore, if a user specifies an incorrect password, the user's account is "charged" twice for one authentication attempt.

    You can check NTLM and Security logs to verify whether there are 2 attempts: one for Kerberos, another for NTLM.

    This by-design behavior is in the ADSI layer on which .NET classes depends, so we can do nothing in .NET part, you may want to visit AD forum http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads  

    However, as a workaround, please replace UPN format with sAMAccountName format.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Eric Yang
    Microsoft Online Community Support

    • Marked as answer by Ryan_Ha Thursday, June 14, 2012 12:42 AM
    Wednesday, June 13, 2012 9:58 AM

All replies

  • Hi Ryan_ha,

    Welcome to the MSDN Forum.

    I am performing research on this issue now. I will update this thread as soon as I get any update.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Monday, June 11, 2012 9:56 AM
    Moderator
  • Thanks so much Mike, any help would be greatly appreciated.

    Tuesday, June 12, 2012 7:01 PM
  • Hi Ryan_ha,

    This case is handling on other moderator side. Thank you for your patience to waiting for the update.

    Best regards,


    Mike Feng
    MSDN Community Support | Feedback to us
    Please remember to mark the replies as answers if they help and unmark them if they provide no help.

    Wednesday, June 13, 2012 5:52 AM
    Moderator
  • It sounds that bad password count increase by 2 if you use UPN format (Domain@sAMAccountName), however, the count increase 1 every time if you use sAMAccountName format (Domain\sAMAccountName).

    This issue was seen before, the root cause is similar to the description of http://support.microsoft.com/kb/264678/EN-US/:

    When the client tries to authenticate the user with a resource, Windows 2000 first uses the Kerberos authentication method. If the Kerberos attempt does not succeed, the client then tries the Windows NT challenge/response (NTLM) authentication protocol. Each of these methods presents the user's credentials for authentication purposes. Therefore, if a user specifies an incorrect password, the user's account is "charged" twice for one authentication attempt.

    You can check NTLM and Security logs to verify whether there are 2 attempts: one for Kerberos, another for NTLM.

    This by-design behavior is in the ADSI layer on which .NET classes depends, so we can do nothing in .NET part, you may want to visit AD forum http://social.technet.microsoft.com/Forums/en-US/winserverDS/threads  

    However, as a workaround, please replace UPN format with sAMAccountName format.


    Please remember to click “Mark as Answer” on the post that helps you, and to click “Unmark as Answer” if a marked post does not actually answer your question. This can be beneficial to other community members reading the thread.

    Regards,
    Eric Yang
    Microsoft Online Community Support

    • Marked as answer by Ryan_Ha Thursday, June 14, 2012 12:42 AM
    Wednesday, June 13, 2012 9:58 AM
  • Great, thank you so much.
    Thursday, June 14, 2012 12:42 AM