none
Authenticating user belonging to trusted domain using PrincipalContext.ValidateCredentials Method RRS feed

  • Question

  • How shall I authenticate a user belonging to a trusted domain using the C# API PrincipalContext.ValidateCredentials?

    Domain1 and Domain2 belong to different AD forests and Domain1 trusts Domain2. I need to authenticate Domain2\John using Domains1's domain controller.

    I use the following method to do this:

    var context = new PrincipalContext(ContextType.Domain, "Domain1");
    return context.ValidateCredentials("John", password);

    This works for all cases except when a user by the name of "John" exists in Domain1 as well. How do I explicitly specify Domain2\John needs to be authenticated?

    I thought of passing the user name like this:

    return context.ValidateCredentials("Domain2\John", password);

    However this format for specifying user name is explicitly forbidden in the ValidateCredentials documentation at

    https://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.principalcontext.validatecredentials%28v=vs.110%29.aspx?f=255&MSPPError=-2147217396

    (though the code seems to work) :

    ===BEGIN quote from documentation===

    Remarks

    The userName argument in both overloads of this method must take the form username (for example, mcampbell) rather than domain\username or username@domain.

    ===END quote from documentation===

    Hence, what is the right way to do this?

    • Edited by kaplingat Wednesday, April 11, 2018 11:32 PM
    Wednesday, April 11, 2018 3:55 PM

All replies

  • Hi kaplingat,

    Thank you for posting here.

    For your question, I am confused about how do you define the context below. Using the Domain2 or Domain1?

    return context.ValidateCredentials("Domain2\John", password);

    If you want to do cross Domain authentication, please use the Domain of user which you want to authenticate.

    Normally, we have two ways to authenticate user cross Domain. One is PrincipalContext. The other is DirectoryServices.

    You could download the source file from the code project and refer to the article.

    https://www.codeproject.com/Articles/608447/Directory-Authentication-for-Cross-Domain-Users-in

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Thursday, April 12, 2018 8:39 AM
    Moderator
  • Hi Wendy,

    My requirement is to authenticate users of all trusted domains using the parent domain's domain controller. Hence the PrincipalContext is created using the parent domain Domain1's FQDN/IP address. Using this PrincipalContext, I need to validate users of all domains which trust Domain1. So, in my case, Domain1 is the cross domain (and it is different with no trust relationship with my host's domain), using which I need to authenticate users belonging to the entire trust hierarchy of Domain1.

    So the question is how I can do it - can I provide Domain2\username in ValidateCredential for achieving the same? I saw another blog post recommending this - https://social.msdn.microsoft.com/Forums/en-US/c4e9be7e-4f55-411b-84ee-5bf70e173fdb/principalcontextvalidatecredentials-with-upn-formated-user-name?forum=netfxbcl.

    Also see here which mentiones a similar use case with same recommendation - https://stackoverflow.com/questions/9473314/active-directory-principalcontext-validatecredentials-domain-disambiguation/9488248#9488248

    However, since MSDN explicitly mentions that UPN format should not be provided in ValidateCredentials, I wanted to know the right way of doing the same.

    Regards,
    Nikhil

    Thursday, April 12, 2018 11:20 AM
  • Hi Wendy,

    I also faced similar issue .So basically this is my scenario.

    I have a user user1 in dom1 and user1 in dom2. Dom1 and Dom2 have trust relationship between them.However my code is running in a system in dom3 which is not having any trust with dom2 or dom1.

    The below code tries to autheticate user1 in dom1(I know this because passwords are diffrenet for user1 in dom1 and dom2)

    var context = new PrincipalContext(ContextType.Domain, "dom1",user1,"passworddom2");
    return context.ValidateCredentials("user1", "passworddom2");


    However since I want to specifically validate the credential of user1 in dom2. I try the following:

    var context = new PrincipalContext(ContextType.Domain, "dom1",user1@dom2.com,"passworddom2");
    return context.ValidateCredentials("user1@dom2.com", "passworddom2");

    This seems to be working ,but since UPN format doesn't seem to be a recommended format as per microsoft .net documentation I am not sure if this is the right thing to do.

    Please suggest.

    Regards,

    Ritu

    Tuesday, April 17, 2018 5:02 AM
  • Hello,

    I seem to be facing the same issue with authentication across multiple trusted domain. I was unaware of the restrictions Microsoft imposes on the format for the username, but thanks for bringing that up.

    Wendy, the solution proposed in the codeproject link you shared speaks about using UPN format in the ValidateCredentials() method. In the links shared by Kaplingat, it is explicitly called out that UPN and "domain\user" formats are not supported.

    1. Is it possible that there may be some limitations in using "user@DomainFQDN" vs "Domain\user" vs "user"?

    2. If we are to not use UPN format or "domain\user" format, how do we authenticate by specifying only the username in ValidateCredentials()? Say I have "user123" in "DomainA" and "user123" in "DomainB" as well, where DomainA trusts DomainB to authenticate its users. Unless I specify "DomainA\user123" in the validatecredentials method, wouldn't the below code validate against DomainB itself?

    var context = new PrincipalContext(ContextType.Domain, "DomainB","user1","password");
    return context.ValidateCredentials("user123", "passwduser123");


    Thanks in advance,

    Pallavi

    Friday, April 20, 2018 5:24 AM
  • Hi kaplingat,

    Have you try the samples in code project?

    Does the code below not work?

    PrincipalContext ctx = new PrincipalContext(ContextType.Domain, strDomain);

    Best Regards,

    Wendy


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Sunday, April 22, 2018 10:33 PM
    Moderator