LDAP Bind allowing incorrect (non-blank) password - active-directory

We have a customers AD system that we authenticate users against using LDAP, specifically by doing a bind using their username and password. Depending on how the username is structured the results of an incorrect password are different. If we include the domain name on the username then ANY password will return an authenticated result. I've pasted some results using LDP.exe for each of the scenarios:
Bind with myusername & invalid (non blank) password:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='[username]'; Pwd= <unavailable>; domain = 'DC=[domain],DC=co,DC=uk'.}
Error <49>: ldap_bind_s() failed: Invalid Credentials.
Server error: 8009030C: LdapErr: DSID-0C090585, comment: AcceptSecurityContext error, data 52e, v4563
Bind with myusername#domain.org & invalid (non blank) password:
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, 1158); // v.3
{NtAuthIdentity: User='[myusername#domain.org]'; Pwd= <unavailable>; domain = 'DC=[domain],DC=co,DC=uk'.}
Authenticated as dn:'[username#domain.org]'.
What I have noticed is that the users full username is username#domain.org and the domain provided to LDAP is DC=domain,DC=co,DC=uk, not sure if this would make a difference?
Does anyone have any ideas on what maybe causing this and whether there is some sort of setup somehwere that needs addressing?
Cheers.

Is the Guest account enabled on the domain? If so, any random credentials will work. It will only tell you that the password is incorrect if you use a valid username.
When you use the myusername format, it must match the sAMAccountName attribute on the account. If you use the myusername#domain.org format, it must match the userPrincipalName on the account - so it's possible that myusername#domain.org is not really the userPrincipalName of your account.

Related

Can't add 'otherMails' with Graph-Tester

I am trying to add another email address to a User.
PATCH https://graph.microsoft.com/v1.0/users/user#domain.de
Body:
{
"givenName":"Meier",
"surname":"Meeier",
"otherMails":["emaissssl#domain.de"]
}
Response: Success - Statuscode 204
The result is givenName changed to Meier, surname changed to Meeier, but the email doesn't get added to otherMails[].
A related question is, can I change the primary address of the User?
Edit: I get the same behavior, if i also include the current address:
{
"givenName": "Meier",
"surname": "Meeier",
"otherMails": ["user#domain.de", "emaissssl#domain.de"]
}
You need spesific permissions in AAD to update otherMails. From the documentation:
Updating another user's businessPhones, mobilePhone, or otherMails property is only allowed on users who are non-administrators or assigned one of the following roles: Directory Readers, Guest Inviter, Message Center Reader, and Reports Reader. For more details, see Helpdesk (Password) Administrator in Azure AD available roles. This is the case for apps granted either the User.ReadWrite.All or Directory.ReadWrite.All delegated or application permissions.
The wording is a little poor but basically, if the User record you are updating is an Administrator or assigned any of the mentioned roles (Directory Readers, Guest Inviter, Message Center Reader, or Reports Reader), it will ignore the change request.
As for changing the primary email address, that isn't possible. The primary email address is automatically constructed based on the mailNickname and the default domain for the tenant (mailNickname#default.dom).

Is there any way to validate given password is valid with computer object created in AD?

I just created computer object in active directory. I set password for computer object using SetPassword Command. How can we verify password for computer object or authenticate with that password? Is there any way to validate that password is valid with that computer?
Validating a computer account password can be done in the same way as user passwords. Computer accounts also have a username SamAccountName.
I'm not sure how to provide an example as you have not specified any programming platform but for the sake of it here is an example using c# and the System.DirectoryServices.AccountManagement namespace.
string password = "securepassword";
using (PrincipalContext context = new PrincipalContext(ContextType.Domain))
using (ComputerPrincipal computer = ComputerPrincipal.FindByIdentity(context, "Temp1"))
{
computer.SetPassword(password);
Console.WriteLine(context.ValidateCredentials(computer.SamAccountName, string.Empty).ToString()); // Returns False
Console.WriteLine(context.ValidateCredentials(computer.SamAccountName, password).ToString()); //Returns True
}

ValidateCredentials LDAP server unavailable

Currently I am using PrincipalContext class to call the ValidateCredentials method to check for user credentials. It was working fine with our 2 environment until a rather 'strange' error occurred.
var configuration = ConfigurationManager.GetSection("PrincipalContextConfiguration") as PrincipalContextConfigurationSection;
var principalContext = new PrincipalContext(configuration.ContextType, configuration.Name, configuration.Container);
principalContext.ValidateCredentials(userName, password);
configuration.ContextType = "Domain"
configuration.Name = "example.local"
configuration.Container = "CN=Users,DC=example,DC=local"
Above are the sample of our current code, simplified for easier viewing. As above, everytime we need to validate credential, we will create a new PrincipalContext.
The error that we have is this validate credential works fine if we provide a valid username and password. But for a specific machine, that throws this error, whenever invalid username and password is supplied, exception is thrown with a message "LDAP server is unavailable".
Could anyone point me to where I should start to find the root cause of this. It is strange to us that the method is only throwing that exception when username and password is incorrect. we verify this by using PowerShell to call the method.
And I am not that expert in AD. Thanks.

logon to specific OU using Directoryservices

I'm having trouble logging in to a specific OU in my ConsoleApp. I guess my LDAP string is incorrecct somehow, these are some output samples from my Test-App
This works fine
Path: LDAP://my.domain User: DOMAIN\user Pass: mypass
DOMAIN\user = Autenticated
But none of these
Path: LDAP://my.domain, ou=myou, dc=my, dc=domain User: user Pass: mypass
Path: LDAP://my.domain/ou=myou User: user Pass: mypass
Path: LDAP://my.domain/ou=myou User: DOMAIN\user Pass: mypass
They work in VBS though.. am I getting something all wrong or is it the AD guys that has to do something with my account? All I get is unknown user och wrong password.
They all work, if I leave out the "ou" part, conenctiong to my.domain is a breeze..
Regards
Your LDAP path should be something like:
LDAP://servername/ou=MyOU,dc=my,dc=domain
(you need to provide the server name that you want to use as DC - as your Domain Controller)
or:
LDAP://ou=MyOU,dc=my,dc=domain (for server-less binding)
You cannot specify a username/password to use right in the LDAP string. If you need that, you'll need to find another way to provide those credentials (like picking the right overloaded constructor for DirectoryEntry which allows you to specify a username/password to use for connecting to AD).
Update:
I think you should change your code to work like this:
string adPath = "LDAP://ou=myou,dc=my,dc=domain";
string adUser = "myuser";
string adPass = "mypass";
// you might need to play around with the "AuthenticationTypes" to get it to work
DirectoryEntry entry = new DirectoryEntry(adPath, adUser, adPass, AuthenticationTypes.None);
DirectorySearcher searcher = new DirectorySearcher(entry);
searcher.Filter = #"(objectClass=Person)";
I'm not sure if a LDAP string like this will work:
string adPath = "LDAP://my.domain/ou=myou,dc=my,dc=domain";
I vaguely remember I had to use a server name (not a domain name) to get this to work - something like this:
string adPath = "LDAP://dc01.my.domain/ou=myou,dc=my,dc=domain";

What "domain" should I specify in JNDI login to an Active Directory Server?

I'm wondering what "principal" I should specify to login in to an Active Directory server. Should the principal be a user inside the AD I try to log into? Or it can be a user in the domain I specify as long as the user has privileges to access the AD?
I tried both with credentials error 49. But I can log in to the AD with ldp.exe by using the Administrator account of the server that AD is installed on.
Here is my code. Many thanks for any prompt help.
Hashtable env= new Hashtable(11);
env.put(Context.SECURITY_AUTHENTICATION,"simple"); // Also tried none w/ the same error
// What principal should I use??
env.put(Context.SECURITY_PRINCIPAL,"CN=Ross,OU=Eng,DC=RossInc");//User
//env.put(Context.SECURITY_PRINCIPAL, user + "#" + domain); // Tried w/ the same error
env.put(Context.SECURITY_CREDENTIALS, "ross");//Password
env.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
env.put(Context.PROVIDER_URL,"ldap://myserver:389/DC=RossInc");
DirContext ctx = new InitialDirContext(env); <-- Fails with AuthenticationException: [LDAP: error code 49 - 8009030C
You either can provide:
NT-style login name
Kerberos UPN (implicit UPN)
explicit UPN (if additional UPN suffices have been defined)
More over, NEVER ever perform a simple bind! Either Digest or GSS-API.
According to the following example from Oracle site, the security Principal is a distinguished name.
Here is some code working for me from a computer inside the domain :
Hashtable<String, String> ldapEnv = new Hashtable<String, String>(11);
ldapEnv.put(Context.INITIAL_CONTEXT_FACTORY, "com.sun.jndi.ldap.LdapCtxFactory");
ldapEnv.put(Context.PROVIDER_URL, "ldap://societe.fr:389");
ldapEnv.put(Context.SECURITY_AUTHENTICATION, "simple");
ldapEnv.put(Context.SECURITY_PRINCIPAL, "cn=administrateur,cn=users,dc=societe,dc=fr");
ldapEnv.put(Context.SECURITY_CREDENTIALS, "test.2011");
ldapContext = new InitialDirContext(ldapEnv);
The principal can be a user inside the AD as long as he has privileges to access the AD.

Resources