UserPrincipal Security. Disabling unwanted smart card prompt?

Question

I've an application with a logon screen for users to authenticate themselves against the domain. I've made use of the System.DirectoryServices.AccountManagement PrincipalContext/UserPrincipal classes for this.

                        PrincipalContext domain = new PrincipalContext(ContextType.Domain, "mydomain");
                    if (domain.ValidateCredentials(UserName, Password))
                    {
                        //do stuff
                    }

This works quite well in the vast majority of cases. However, for a few select people, this "domain.ValidateCredentials" method will automatically prompt for a smart card insertion when it finds that the UserName is valid in the domain. Simply closing the prompt again will allow my application to proceed, but I would much rather get rid of it completely.

I've not had much luck finding a cause/solution for this. Any assistance would be appreciated!

Bumping thread. I'm still stuck on this unfortunately – Joran Stoops Jul 30 '20 at 14:04 — Joran Stoops, Jul 30 '20 at 14:04
Same problem here. – Filipe YaBa Polido Sep 29 '21 at 09:11 — Filipe YaBa Polido, Sep 29 '21 at 09:11

score 0 · Answer 1 · edited Sep 29 '21 at 11:55

0

I had the same problem also today. The solution that is working for me: adding [System.DirectoryServices.AccountManagement.ContextOptions]'Negotiate' to the ValidateCredentials method:

domain.ValidateCredentials(UserName, Password, [System.DirectoryServices.AccountManagement.ContextOptions]'Negotiate')

edited Sep 29 '21 at 11:55

Peter Csala

17,736
16
35
75

answered Sep 29 '21 at 11:40

Gunter De Maeyer

1

1

Your answer could be improved with additional supporting information. Please [edit] to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers [in the help center](/help/how-to-answer). – Community Sep 29 '21 at 11:56

score 0 · Answer 2 · answered Jul 19 '22 at 13:21

Adding ContextOptions.Negotiate to the call to ValidateCredentials does solve the problem because this forces using Kerberos or NTLM with the username and password, bypassing asking for the SmartCard: https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.contextoptions?view=dotnet-plat-ext-6.0.

Since a using statement is probably already in the code to reference AccountManagement, it is much more concise code to simply use the enumeration:

domain.ValidateCredentials(UserName, Password, ContextOptions.Negotiate)

UserPrincipal Security. Disabling unwanted smart card prompt?

2 Answers2