ValidateCredentials 为未知用户返回 true? [英] ValidateCredentials returns true for unknown user?
问题描述
我在这里使用 PrincipalContext.ValidateCredentials 看到了一些奇怪的行为.设置是父/子设置中的两个 Active Directory 域(因此我们有主域 company.com 和子域 development.company.com).
当我针对主域验证凭据时,ValidateCredentials 会按预期运行,对于良好的用户/密码对返回 true,对于其他任何情况返回 false.
但是,如果我验证子域中的用户,ValidateCredentials 会为正确的用户名/密码和无效用户返回 true.如果我为有效用户提供无效密码,它会正确返回 false.
现在我正在解决这个问题,首先执行 UserPrincipal.FindByIdentity(),如果用户存在,然后调用 ValidateCredentials -- 但我会想了解发生了什么.
我看过的另一种解决方法是将用户名作为 domainusername 传递给 ValidateCredentials 状态的 MSDN 条目:
在这个函数的每个版本中,userName 字符串可以是其中之一各种不同的格式.有关可接受的完整列表格式类型,请参阅 ADS_NAME_TYPE_ENUM 文档.
...其中列出了这种形式的用户名.但这会导致 ValidateCredentials 始终返回 true,无论我传入的用户名和密码是什么组合.
相关代码是:
bool 已验证 = false;//为 ContextOptions, [etc] inc. 尝试的各种选项.与 AD 绑定的显式用户名/密码 - 没有运气.使用 (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain, null, ContextOptions.Negotiate, null, null)){日志(pc.ConnectedServer + " => " + pc.UserName + " => " + pc.Name + " => " + pc.Container);使用 (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, username)){如果(用户!= null){日志(用户.DistinguishedName + "; " + user.DisplayName);已认证 = pc.ValidateCredentials(用户名,密码);} 别的 {log("找不到用户");//仅调试——是否需要 FindByIdentity().这应该总是返回//错误,但不是.已认证 = pc.ValidateCredentials(用户名,密码);}}}返回已验证;欢迎任何和所有(明智的)建议——我正在为此挠头,因为它违背了所有的期望.
我应该补充一点:这是在我的机器上以我自己的身份运行,两者都是主域的成员.但是,我也尝试以子域 (runas/user:subdomainuser cmd) 的用户身份在我的机器上的命令提示符中运行它,结果完全相同.
后来进行了一些谷歌搜索(并不是说我整天都在 google 里进进出出试图找到这个),我已经 找到答案.
简而言之,如果在域中启用了来宾帐户,则 ValidateCredentials 将为未知用户返回 TRUE.我刚刚在 development.company.com 中检查了来宾用户的状态,果然该帐户已启用.如果我禁用了访客帐户,则 ValidateCredentials 会正确返回 false.
这是一个相当基本的问题,不确定我是否热衷于这种行为......遗憾的是 MSDN 上没有明确提及.
I'm seeing some odd behaviour here using PrincipalContext.ValidateCredentials. The set-up is two Active Directory domains in parent/child setup (so we have primary domain company.com and sub-domain development.company.com).
When I validate credentials against the primary domain, ValidateCredentials behaves as expected, returning true for good user/pass pairs, and false for anything else.
However if I validate a user in the sub-domain, ValidateCredentials returns true for both good username/passwords AND invalid users. If I provide a valid user with an invalid password, it correctly returns false.
Now I'm working around it at the moment by doing UserPrincipal.FindByIdentity() first and if the user exists, then calling ValidateCredentials -- but I'd like to understand what's going on.
Another workaround I've looked at is by passing the username through as domainusername as the MSDN entry for ValidateCredentials states:
In each version of this function, the userName string can be in one of a variety of different formats. For a complete list of the acceptable types of formats, see the ADS_NAME_TYPE_ENUM documentation.
...of which this form of username is listed. But this causes ValidateCredentials to always return true, no matter what combination of username and password I pass in.
The pertinent code is:
bool authenticated = false;
// Various options tried for ContextOptions, [etc] inc. explicit username/password to bind to AD with -- no luck.
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, domain, null, ContextOptions.Negotiate, null, null))
{
log(pc.ConnectedServer + " => " + pc.UserName + " => " + pc.Name + " => " + pc.Container);
using (var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, username))
{
if (user != null)
{
log(user.DistinguishedName + "; " + user.DisplayName);
authenticated = pc.ValidateCredentials(username, password);
} else {
log("User not found");
// Debug only -- is FindByIdentity() needed. This should always return
// false, but doesn't.
authenticated = pc.ValidateCredentials(username, password);
}
}
}
return authenticated;
Any and all (sensible) suggestions welcome -- I'm scratching my head over this as it just goes against all expectations.
I ought to add: this is running as myself on my machine, both of which are members of the primary domain. However I've also tried running it in a command prompt on my machine as a user of the sub-domain (runas /user:subdomainuser cmd) with exactly the same results.
Some amount of googling later (not that I've been in and out of google all day trying to find this anyway), I've found the answer.
Put simply, if the Guest account is enabled in the domain, ValidateCredentials will return TRUE for an unknown user. I've just checked the status of the guest user in development.company.com, and sure enough the account is enabled. If I have the guest account disabled, ValidateCredentials correctly returns false.
This is a fairly fundamental gotcha, not sure I'm keen on this behaviour... pity it's not explicitly mentioned on MSDN.
这篇关于ValidateCredentials 为未知用户返回 true?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
