.NET Active Directory authorization in 2 tier application

Question

Let's say we have a PC station (windows 10) joined to Active Directory and there is a user that signed in.

I have an application (client layer connects straight ahead to database). Currently, The application prompts for login / password upon start, however I want to change that and if the current user is connected to domain (sign in the system), give him access right away without prompting for credentials.

I can imagine that once user is logged to system, the account can be in the meantime disabled, or password needs to be changed or password expired. Since I don't have password for the account, the question is

How Can I validate currently logged user in Active Directory to gauge whether I can give him access to the application or not?

did you solve the problem? – Falco Alexander Jul 04 '20 at 06:57 — Falco Alexander, Jul 04 '20 at 06:57
@FalcoAlexander Look at my answer. Hope it will help you. – John Jul 07 '20 at 09:59 — John, Jul 07 '20 at 09:59

score 1 · Answer 1 · answered Jun 30 '20 at 13:05

1

you can check windowsidentity:

bool System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated;
string System.Security.Principal.WindowsIdentity.GetCurrent().IsAuthenticated.Name;

answered Jun 30 '20 at 13:05

Falco Alexander

3,092
2
20
39

score 0 · Answer 2 · answered Jul 07 '20 at 09:58

And here is my solution. It reaches AD directory and checks if account is really there and verifies its enabled for authentication property. Maybe somebody will help that.

public class ADAuthentication 
{
    private string userPrincipalName = UserPrincipal.Current.UserPrincipalName;
    private string userName = Environment.UserName;

    public string UserPrincipalName
    {
        get { return userPrincipalName; }
        set { userPrincipalName = value; }
    }

    public string Username
    {
        get { return userName; }
        set { userName = value; }
    }

    private string domainName;
    private string container;

    public enum AuthenticationMode { Credentials, ActiveDirectory };

    public AuthenticationMode GetAuthenticationType()
    {            
        if (String.Equals(domainName, Environment.UserDomainName, StringComparison.OrdinalIgnoreCase))
        {
            try
            {
                using (var domainContext = new PrincipalContext(ContextType.Domain, domainName, container))
                {
                    using (var foundUser = UserPrincipal.FindByIdentity(domainContext, IdentityType.UserPrincipalName, userPrincipalName))
                    {                            
                        if (foundUser != null && foundUser.Enabled == true)
                            return AuthenticationMode.ActiveDirectory;
                    }
                }
            }
            catch (AuthenticationException)
            {
                return AuthenticationMode.Credentials;
            }
            catch (PrincipalServerDownException)
            {
                return AuthenticationMode.Credentials;
            }
        }
        return AuthenticationMode.Credentials;
    }

    public ADAuthentication (string domainName)
    {            
        if (string.IsNullOrWhiteSpace(domainName))
            throw new InvalidOperationException("The domainName parameter is required.");

        string[] parts = domainName.Split('.');
        this.domainName = parts[0];
        this.container = string.Empty;
        for (int i = 0; i < parts.Length; i++)
        {
            string separator = string.IsNullOrEmpty(container) ? "" : ",";
            this.container += string.Format("{0}DC={1}", separator, parts[i]);
        }
    }                
}

.NET Active Directory authorization in 2 tier application

2 Answers2