I'm using .NET and creating a DirectoryEntry and the access the NativeObject member to validate a user's credentials against AD.
There are some situations, where the login will fail, because the "User must change password on next logon" flag is set or the user is currently not allowed to logon because the logon times do not match.
I want to distinguish if one of these situations occured or if the user just entered a wrong password.
If I create the DirectoryEntry object with parameter AuthenticationTypes.None, a DirectoryServicesCOMException is thrown if the login failed. The information in this exception can be used to determine e.g. if the "password change" flag is set.
Unfortunately, using AuthenticationTypes.None is not a secure way, as the password is transmitted.
If I create the DirectoryEntry object with the parameter AuthenticationTypes.Secure, a COMException is thrown instead of a DirectoryServicesCOMException. This exception is very generic, as it always has the error code ERROR_LOGON_FAILURE. I cannot distinguish if the user has entered a bad password or if the password has to be changed.
MSDN documentation says: If AuthenticationTypes.Secure is set, the WinNT provider uses NTLM to authenticate the client. I guess this leads to a different behavior where only a COMException is thrown.
Works, but insecure:
var de = new DirectoryEntry(path, user, pass, AuthenticationTypes.None);
Secure, but throws only COMException:
var de = new DirectoryEntry(path, user, pass, AuthenticationTypes.Secure);
The first option uses basic authentication and throws specific DirectoryServicesCOMException, second option uses NTLM and throws only a generic COMException.
Has anyone an idea how I can detect if a user has to change the password, the account is locked or expired, logon times are invalid, ... or if the user has just entered a wrong password ?
Many thanks.
