I'm trying to validate an AD user using the following code:
using (var de = new DirectoryEntry($"LDAP://{domainTxt.Text}", usernameTxt.Text, passwordTxt.Text))
{
var nO = de.NativeObject; //verify credentials
}
When calling de.NativeObject and the password is incorrect the bad password attempt count increases by 2 instead of 1.
Using this powershell script to check the count:
C:\Users\administrator> Get-ADUser -Filter {userprincipalname -eq "[email protected]"} -Properties badPwdCount
I found out that the reason for this is that DirectoryEntry uses AuthenticationTypes.Secure by default, which is fair enough, that's what I need actually, if I change it to anything else, the bad password count increases by one as expected.
Does anyone know how can I get around this issue?
I don't know for sure why, but the documentation for AuthenticationTypes.Secure says:
Active Directory Domain Services uses Kerberos, and possibly NTLM, to authenticate the client.
That could mean that when one method fails for whatever reason, it tries again with the other. You might be able to see this by monitoring network traffic with something like Wireshark.
A way to work around this might be to use LdapConnection to validate the credentials (if that's all you need the connection to LDAP for). There's a good example of that in another answer here. It has the added benefit of telling you why the validation failed.