I am using the following C# code to connect to active directory and validate the login,
我使用以下C#代码连接到活动目录并验证登录,
DirectoryEntry de = new DirectoryEntry();
string username = "myuser", path = "LDAP://addev2.dev.mycompany.com/CN=myuser,DC=dev,DC=mycompany,DC=com", password = "test";
for (int i = 0; i < 4;i++ )
{
try
{
de.AuthenticationType = AuthenticationTypes.Sealing | AuthenticationTypes.Secure | AuthenticationTypes.FastBind;
de.Username = username;
de.Password = password;
de.Path = path;
//de.RefreshCache();
Object obj = de.NativeObject;
}
catch (Exception ex)
{
Console.WriteLine(ex.Message);
}
this works fine when the password is correct. However when the password is incorrect this shows as 2 invalid attempts in AD. So what happens is when the AD admin allows 5 invalid attempts the user is locked out on the 3rd attempt. when i look in the AD's event log 1 see 2 entries.
这在密码正确时工作正常。但是,如果密码不正确,则在AD中显示为2次无效尝试。那么当AD管理员允许5次无效尝试时,用户在第3次尝试时被锁定,会发生什么。当我查看AD的事件日志1时,看到2个条目。
1)Pre-authentication failed:
2)Logon attempt by:
2)登录尝试:
MICROSOFT_AUTHENTICATION_PACKAGE_V1_0
Logon account: m0707b@dev.mycompany.com
Source Workstation: WKSXXXX
Error Code: 0xC000006A
Stepping thro the code i see 2 event entries on the line
踩到代码,我看到线上的2个事件条目
de.RefreshCache()
I tried using de.NativeObject to see if that would solve the problem. No Dice
我尝试使用de.NativeObject来查看是否可以解决问题。没有骰子
Anyone have any pointers?
任何人有任何指针?
2 个解决方案
#1
You might check out the System.DirectoryServices.AccountManagement namespace. You can access an account and then cast one of the methods it has into a DirectoryEntry object. It might get around your double-authentication problem and it's easier to use.
您可以查看System.DirectoryServices.AccountManagement命名空间。您可以访问一个帐户,然后将其中的一种方法强制转换为DirectoryEntry对象。它可能会解决您的双重身份验证问题,并且更容易使用。
#2
Finally found the answer to this perplexing issue when you use the format username@domain the IIS app uses 2 calls once using Kerebros and when that fails using NTLM causing a double count The fix is to use the following format for authentication domain\username and that fixed the issue. http://support.microsoft.com/kb/264678/EN-US/
当你使用格式username @ domain时,终于找到了这个令人困惑的问题的答案。一旦使用Kerebros,IIS应用程序使用2次调用,并且当使用NTLM失败导致双重计数时修复是使用以下格式进行身份验证域\用户名和解决了这个问题。 http://support.microsoft.com/kb/264678/EN-US/
#1
You might check out the System.DirectoryServices.AccountManagement namespace. You can access an account and then cast one of the methods it has into a DirectoryEntry object. It might get around your double-authentication problem and it's easier to use.
您可以查看System.DirectoryServices.AccountManagement命名空间。您可以访问一个帐户,然后将其中的一种方法强制转换为DirectoryEntry对象。它可能会解决您的双重身份验证问题,并且更容易使用。
#2
Finally found the answer to this perplexing issue when you use the format username@domain the IIS app uses 2 calls once using Kerebros and when that fails using NTLM causing a double count The fix is to use the following format for authentication domain\username and that fixed the issue. http://support.microsoft.com/kb/264678/EN-US/
当你使用格式username @ domain时,终于找到了这个令人困惑的问题的答案。一旦使用Kerebros,IIS应用程序使用2次调用,并且当使用NTLM失败导致双重计数时修复是使用以下格式进行身份验证域\用户名和解决了这个问题。 http://support.microsoft.com/kb/264678/EN-US/