I have implemented Active Directory authentication in my application and it is working properly.
But when entering an incorrect password five times, the account gets locked.
Is there any possible way to avoid account locking for the invalid authentication?
Thank u,
Ganesh. K
Your code won't have control over that because this is an Active Directory password policy settings.
Active Directory Account Lockout is controlled by the the Domain Policy, a Group Policy Object (GPO) linked to the domain.
You can change the policy.
Lockouttime can only triggered by the system itself.
You may also un-lock an account by setting the Lockouttime attribute to "0".
Related
I'm trying to access the groups a user is a member of using the Microsoft Graph API.
I'm facing an issue because I think my permissions are set correctly, however, when I sign into the app, I get the message :
AADSTS90093: Calling principal cannot consent due to lack of permissions.
The weird thing is that I'm only asking for this permission scope :
public static String[] ClientScope = { "User.Read", "User.ReadBasic.All", "Group.Read.All"};
What makes me confused is that if I sign in the Microsoft Graph explorer and go to https://graph.microsoft.com/v1.0/me/memberOf ,
I get the correct results.
I got an admin to consent to the permissions I'm asking in the scope of course.
Has anyone encountered that issue ?
Any idea how I should correct that ?
The memberOf API requires one of the following scopes:
Directory.Read.All
Directory.ReadWrite.All
Directory.AccessAsUser.All
Regardless of which of these scopes you choose, they all will require administrative consent before a regular user can authorize them. To do this, you'll first need to have them go through the “Admin Consent” workflow. This workflow requires an administrator but once complete any users of your application will have “admin consent” to the restricted scope.
For example, you would normally you would then authenticate users by redirecting them to
https://login.microsoftonline.com/common/oauth2/authorize?<your params>.
Since this scope requires an Admin however, you fist need to obtain consent by first having an Admin authenticate by redirecting them to
https://login.microsoftonline.com/common/adminconsent?<yours params>.
Once an Admin grants consent, normal users will be able to use OAUTH to authenticate.
If a domain AD user account is hidden * and expired, is there a way to change the password (not reset) in .net / c# ?
The code I have currently is using System.DirectoryServices.AccountManagement and is essentially something like
using (var context = PrincipalContext(ContextType.Domain, server, container)
{
var directoryUser = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, username);
directoryUser.ChangePassword(oldPassword, newPassword);
}
This works OK for users that the application service account can find, but some "hidden" users are in OUs that the application service account does not have read permissions to - and hence this fails with a null user.
I thought I would change it so that the PrincipalContext is established with the username and password of the user themselves (since they will have permissions to find themselves) - but often the account is expired by the time they come to change their password and so the FindByIdentity call fails as invalid credentials since the account is expired..
It's kind of a catch-22 where I can't find the user unless I search as the user, but I can't search as the user since they are expired, and I can only unexpire them by getting them to change their password.
If they have access to a workstation they can change their password using the Windows login controls but how to achieve this same level of functionality in c#?
EDIT1: I'm hoping for a solution that does not involve a service account with read-access to the hidden OUs - that would be difficult to achieve for various organization reasons.
I have a serious problem authenticating my user against AD. I can use the PrincipalContext way or the DirectoryEntry way and check whether login was successful or not. But this is not enough for my case. I need to know why authentication failed(eg: password expiration, account locked, bad password count limit). Is there anyway of achieving this without using native win32 dll's. By the way this may not be a web project all the time. My optimal solution could be a generic one.
Thanks for any help...
You should get the reason for the error in the exception.
Regardles of that you get the information if authentication will fail by using the PrincipalContext members like:
AccountExpirationDate (is the account expired)
AccountLockoutTime (is the account locked)
Enabled (is the account enabled)
IsAccountLockedOut (is the account locked)
PermittedLogonTimes (is the user allowed to login now)
PermittedWorkstations (is the user allowed to login from this client)
I am using .net membership to manage my user roles. Currently users are suspended after a long period of inactivity. Is there a membership api to unsuspend the user?
There is no 'suspension' as such in the Membership Provider; however, there are two properties that will affect the ability of a user to login to the system:
In the MembershipUser class, let's look at:
MembershipUser.IsLockedOut: This property indicates that a user has been locked out of the system by trying to log in with the incorrect password more than the allowed number of times. The web.config would have that number.
Notice that you cannot explicitly lockout a user programmatically. Only a user herself can get locked out by trying incorrect passwords for her account.
MembershipUser.IsApproved: You can approve or disapprove a user and that property will define whether a user can be authenticated or not. This is probably the equivalent to a Suspended user. You simply set the MembershipUser.IsApproved to false and update the user with the MembershipProvider.UpdateUser(MembershipUser) method. Conversely, you would set the property IsApproved to true if you want to allow the user to log in again.
Hopefully, this will clarify the capabilities of the Membership provider, but it is strange to see that a user has been 'suspended' from the system due to inactivity. Are you sure it is not one of the two options discussed above?
If suspend and unsuspend here mean lock/unlock you can try:
MembershipUser user = Membership.GetUser("name");
user.UnlockUser();
System Specs:
Infopath 2007 with c# code-behind
Webservices
Active Directory
I need to get the users name (First Name and Last Name) from active directory but the user appears to not have permissions to read the active directory listings.
What permissions do I need to give the user in order for them to search AD
I am using code like this
SearchResult result;
using (DirectoryEntry de = new DirectoryEntry("LDAP://DC=contoso,DC=com,DC=au"))
{
DirectorySearcher search = new DirectorySearcher(de, (string.Format("(&(objectClass=user)(mailNickname={0}))",this.Application.User.UserName)));
result = search.FindOne();
}
I have considered creating a webservice that gets the information required but that seems like overkill but would get around having to make sure every possible user of the form is required to have the correct permissions
EDIT:
The code that I am trying to execute is infopath code behind. The form itself connects to webservices to retrieve some of its data. as such it is under infopath's security model. The form is fully trusted so it should be fine to execute under the current user context.
My fault for not adding the extra detail.
When you create a new DirectoryEntry without specifying a username and password you're connecting to Active Directory using the credentials of the executing user - in your case probably the local IUSR_...-account on the web server which is the default account used when a new web site is set up in IIS. Because that's a local account you won't be able to access Active Directory.
You have two options:
Create a service account in Active Directory and use that account explicitly, ie DirectoryEntry de = new DirectoryEntry("LDAP://DC=contoso,DC=com,DC=au", "sa-username", "sa-password", AuthenticationTypes.Secure). Of course, passwords in clear text in the code is not a good idea so find a way to encrypt the password.
or
Configure the IIS application pool for your web site (IIS 6+) to run under a domain user account - that way that account is used when connecting to Active Directory.
Any user of the AD should have permissions to browse the AD by default.
You probably just need to change your directory entry to point to the user container like so:
new DirectoryEntry("LDAP://CN=users,DC=contoso,DC=com,DC=au")
Your user container could be another name.
If that does not solve the problem it may be that the application is not actually running as the user. For example, an ASP.NET website would need to be using impersonation in order to query the AD.