Active Directory (LDAP) – Check account locked out / Password expired

by

A little late but I’ll throw this out there.

If you want to REALLY be able to determine the specific reason that an account is failing authentication (there are many more reasons other than wrong password, expired, lockout, etc.), you can use the windows API LogonUser. Don’t be intimidated by it – it is easier than it looks. You simply call LogonUser, and if it fails you look at the Marshal.GetLastWin32Error() which will give you a return code that indicates the (very) specific reason that the logon failed.

However, you’re not going to be able to call this in the context of the user you’re authenticating; you’re going to need a priveleged account – I believe the requirement is SE_TCB_NAME (aka SeTcbPrivilege) – a user account that has the right to ‘Act as part of the operating system’.

//Your new authenticate code snippet:
        try
        {
            if (!LogonUser(user, domain, pass, LogonTypes.Network, LogonProviders.Default, out token))
            {
                errorCode = Marshal.GetLastWin32Error();
                success = false;
            }
        }
        catch (Exception)
        {
            throw;
        }
        finally
        {
            CloseHandle(token);    
        }            
        success = true;

if it fails, you get one of the return codes (there are more that you can look up, but these are the important ones:

 //See http://support.microsoft.com/kb/155012
    const int ERROR_PASSWORD_MUST_CHANGE = 1907;
    const int ERROR_LOGON_FAILURE = 1326;
    const int ERROR_ACCOUNT_RESTRICTION = 1327;
    const int ERROR_ACCOUNT_DISABLED = 1331;
    const int ERROR_INVALID_LOGON_HOURS = 1328;
    const int ERROR_NO_LOGON_SERVERS = 1311;
    const int ERROR_INVALID_WORKSTATION = 1329;
    const int ERROR_ACCOUNT_LOCKED_OUT = 1909;      //It gives this error if the account is locked, REGARDLESS OF WHETHER VALID CREDENTIALS WERE PROVIDED!!!
    const int ERROR_ACCOUNT_EXPIRED = 1793;
    const int ERROR_PASSWORD_EXPIRED = 1330;

The rest is just copy/paste to get the DLLImports and values to pass in

  //here are enums
    enum LogonTypes : uint
        {
            Interactive = 2,
            Network =3,
            Batch = 4,
            Service = 5,
            Unlock = 7,
            NetworkCleartext = 8,
            NewCredentials = 9
        }
        enum LogonProviders : uint
        {
            Default = 0, // default for platform (use this!)
            WinNT35,     // sends smoke signals to authority
            WinNT40,     // uses NTLM
            WinNT50      // negotiates Kerb or NTLM
        }

//Paste these DLLImports

[DllImport("advapi32.dll", SetLastError = true)]
        static extern bool LogonUser(
         string principal,
         string authority,
         string password,
         LogonTypes logonType,
         LogonProviders logonProvider,
         out IntPtr token);

[DllImport("kernel32.dll", SetLastError = true)]
        static extern bool CloseHandle(IntPtr handle);

More Related Contents:

  1. ASP.NET Core 2.0 LDAP Active Directory Authentication
  2. Adding and removing users from Active Directory groups in .NET
  3. How to get all the AD groups for a particular user?
  4. How do I validate Active Directory creds over LDAP + SSL?
  5. How to get the current user’s Active Directory details in C#
  6. Validate a username and password against Active Directory?
  7. How can I get a list of users from active directory?
  8. Find Recursive Group Membership (Active Directory) using C#
  9. Can I get more than 1000 records from a DirectorySearcher?
  10. How to get the groups of a user in Active Directory? (c#, asp.net)
  11. How to programmatically change Active Directory password
  12. Active Directory COM Exception – An operations error occurred (0x80072020)
  13. Connect to Active Directory via LDAP
  14. How to check if a user belongs to an AD group?
  15. Error 0x80005000 and DirectoryServices
  16. ValidateCredentials returns true for unknown user?
  17. “A referral was returned from the server” exception when accessing AD from C#
  18. c# Active Directory Services findAll() returns only 1000 entries [duplicate]
  19. Querying an LDAP
  20. Built-in helper to parse User.Identity.Name into Domain\Username
  21. .NET 4.5 Bug in UserPrincipal.FindByIdentity (System.DirectoryServices.AccountManagement)
  22. .Net’s Directory Services throws a strange exception
  23. C# Active Directory: Get domain name of user?
  24. Connecting to LDAP from C# using DirectoryServices
  25. Authenticating users using Active Directory in Client-Server Application
  26. Using C# to authenticate user against LDAP
  27. See if user is part of Active Directory group in C# + Asp.net
  28. No generic implementation of OrderedDictionary?
  29. Read a XML (from a string) and get some fields – Problems reading XML
  30. Click an HTML link inside a WebBrowser Control

Leave a Comment