ValidateCredentials未知用户返回true？ [英] ValidateCredentials returns true for unknown user?

问题描述

我看到一些奇怪的行为在这里使用 PrincipalContext.ValidateCredentials 。该设置是在父/子设置两个Active Directory域（所以我们主域 company.com 和子域 development.company。 COM ）。

I'm seeing some odd behaviour here using PrincipalContext.ValidateCredentials. The set-up is two Active Directory domains in parent/child setup (so we have primary domain company.com and sub-domain development.company.com).

当我验证对主域凭据， ValidateCredentials 表现不如预期，返回true良好的用户/密码对，而假为别的。

When I validate credentials against the primary domain, ValidateCredentials behaves as expected, returning true for good user/pass pairs, and false for anything else.

但是，如果我验证用户的子域， ValidateCredentials 返回true，为良好的用户名/密码和无效的用户。如果我提供密码无效的有效用户，它正确返回false。

However if I validate a user in the sub-domain, ValidateCredentials returns true for both good username/passwords AND invalid users. If I provide a valid user with an invalid password, it correctly returns false.

现在我周围做 UserPrincipal.FindByIdentity（）第一，如果用户存在，然后调用 ValidateCredentials <工作的时刻/ code> - 但我想知道这是怎么回事

Now I'm working around it at the moment by doing UserPrincipal.FindByIdentity() first and if the user exists, then calling ValidateCredentials -- but I'd like to understand what's going on.

另一种解决方法我已经看了是通过传递用户名作为域\用户名的<一个href="http://msdn.microsoft.com/en-us/library/system.directoryservices.accountmanagement.principalcontext.validatecredentials.aspx">MSDN对于入门 ValidateCredentials 规定：

Another workaround I've looked at is by passing the username through as domain\username as the MSDN entry for ValidateCredentials states:

在每个版本这一功能，将userName字符串可以是在一种   各种不同的格式。为可接受的完整列表   类型的格式，请参阅ADS_NAME_TYPE_ENUM文档。

In each version of this function, the userName string can be in one of a variety of different formats. For a complete list of the acceptable types of formats, see the ADS_NAME_TYPE_ENUM documentation.

...这这种形式的用户名被列出。但是，这会导致 ValidateCredentials 来总是返回true，无论我通过什么样的用户名和密码的组合。

...of which this form of username is listed. But this causes ValidateCredentials to always return true, no matter what combination of username and password I pass in.

相关code是：

bool authenticated = false;

// Various options tried for ContextOptions, [etc] inc. explicit username/password to bind to AD with -- no luck.
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain, null, ContextOptions.Negotiate, null, null))
{
    log(pc.ConnectedServer + " => " + pc.UserName + " => " + pc.Name + " => " + pc.Container);
    using (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, username))
    {
        if (user != null)
        {
            log(user.DistinguishedName + "; " + user.DisplayName);
            authenticated = pc.ValidateCredentials(username, password);
        } else {
            log("User not found");
            // Debug only -- is FindByIdentity() needed. This should always return 
            // false, but doesn't.
            authenticated = pc.ValidateCredentials(username, password);
        }
    }
}
return authenticated;

任何及所有（合理的）建议表示欢迎 - 我抓我的头在这个因为它只是事与愿违

Any and all (sensible) suggestions welcome -- I'm scratching my head over this as it just goes against all expectations.

我应该补充：这个正在作为我自己我的机器，这两者都是主域的成员。不过，我也试着在我的机器上运行它在命令提示符的子域的用户（的runas / user：用户子域\用户CMD ）完全相同的结果。

I ought to add: this is running as myself on my machine, both of which are members of the primary domain. However I've also tried running it in a command prompt on my machine as a user of the sub-domain (runas /user:subdomain\user cmd) with exactly the same results.

推荐答案

之后（不是说我一整天试图找到这无论如何是进出谷歌）谷歌上搜索的一些量，我已经的found答案。

Some amount of googling later (not that I've been in and out of google all day trying to find this anyway), I've found the answer.

简单地说，如果Guest帐户已在域名启用，ValidateCredentials将未知用户返回TRUE。我刚刚查了guest用户的状态development.company.com，果然该帐户被启用。如果我有禁用来宾帐户，ValidateCredentials正确返回false。

Put simply, if the Guest account is enabled in the domain, ValidateCredentials will return TRUE for an unknown user. I've just checked the status of the guest user in development.company.com, and sure enough the account is enabled. If I have the guest account disabled, ValidateCredentials correctly returns false.

这是一个相当基本的疑难杂症，不知道我热衷于这种行为......可惜它没有明确提及MSDN上。

This is a fairly fundamental gotcha, not sure I'm keen on this behaviour... pity it's not explicitly mentioned on MSDN.

这篇关于ValidateCredentials未知用户返回true？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！