Implementing ActiveDirectory account lockout after n tries in WCF

Question

I am developing a WCF service which can be consumed by mobile applications to authenticate users against the corporate extranet ActiveDirectory. I am using a customized version of this implementation from Microsoft. I need to implement the account lock out logic so that after n retries the account in the ActiveDirectory should get locked-out.

I tried with state-full WCF service to keep track of the failed log-ins. But the client can start over the next session and continue with the attack.

I know that the ActiveDirectory policy can be set to enforce this, but just querying the AD -like the Microsoft solution does to authenticate the user - does not lock out the user.

So, I am looking forward for a solution which will work like when log-in to Windows with incorrect password for n times the account will get locked-out as per the policy set in the AD.

Answer 1

There are basically two ways of doing this:

• You continue the directory search method you are using, but track the number of logins for each user in a custom database, and check this database before doing the directory search.
• Use the Windows login instead, and rely on AD to lockout the user. For a description of how to do this check: Active Directory (LDAP) - Check account locked out / Password expired

Edit

After seeing marc_s's comment, I am unsure if doing the directory search will lockout or not. It would actually be a serious security hole if you could try an infinate number of times. But you would need an account that is allowed to query AD before you could use it.

The code you linked to had this line

object obj = entry.NativeObject

Which was to force authentication. Have you included this line?