Export (0) Print
Expand All

ActiveDirectoryMembershipProvider.ValidateUser Method

Verifies that the specified user name and password exist in the Active Directory data store.

Namespace: System.Web.Security
Assembly: System.Web (in system.web.dll)

public override bool ValidateUser (
	string username,
	string password
)
public boolean ValidateUser (
	String username, 
	String password
)
public override function ValidateUser (
	username : String, 
	password : String
) : boolean
Not applicable.

Parameters

username

The name of the user to validate.

password

The password for the specified user.

Return Value

true if the specified username and password are valid; otherwise, false. If the user specified does not exist in the Active Directory data store, the ValidateUser method returns false.

Exception typeCondition

InvalidOperationException

The ValidateUser method is called before the ActiveDirectoryMembershipProvider instance is initialized.

This method is called by the Membership class to validate user credentials against the Active Directory data store.

If the EnablePasswordReset property is true and the supplied credentials are valid, the user's tracking counters for bad password answers are reset.

The ValidateUser method may return false when the correct credentials are supplied, under the following circumstances:

  1. The user account was locked out by the directory server because of too many failed logon attempts. The user will not be able to log on until the directory's lockout duration passes.

  2. If the EnablePasswordReset property is true, the user account will be locked if the user supplied a bad password answer too many times. The user's account will unlock after the time specified in the PasswordAnswerAttemptLockoutDuration property has passed.

  3. The user must exist in the container specified in the connection string. Valid credentials are supplied for a user account located in a different container or in a different domain. The user must exist in the container specified in the connection string.

When validating a user, the provider validates the credentials by connecting to the Active Directory data store using the specified user name and password, not the credentials configured in the application configuration file.

However, the ActiveDirectoryMembershipProvider instance will connect to the directory using the configured credentials for the following reasons.

  • To confirm that a user exists within the search scope as determined by the ActiveDirectoryMembershipProvider instance's connection string. The provider uses a subtree search starting at the search point specified in the connection string to determine whether a user exists. The user must exist in the specified container. Credentials that are valid outside the connection string's specified container will not be validated. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

  • If the EnablePasswordReset property is true, the ActiveDirectoryMembershipProvider instance will use the configured credentials to load the user instance to check whether the user has been locked out because he or she has made too many failed attempts to change the password answer.

Security noteSecurity Note:

Connecting to an Active Directory domain controller with the "Guest" account enabled is a potential security threat. All validation attempts made on an Active Directory domain controller with the "Guest" account enabled will succeed. To improve security when using an Active Directory domain controller, you should disable the "Guest" account on the domain controller.

The ActiveDirectoryMembershipProvider instance will attempt a concurrent bind against Active Directory when one of the following conditions is met:

  • The CurrentConnectionProtection property is set to None.

  • The CurrentConnectionProtection property is set to SignAndSeal and SSL is chosen by the ActiveDirectoryMembershipProvider instance to secure the connection.

In addition, for a concurrent bind to be made, the following conditions must be true:

  • The directory server must be running on Windows Server 2003.

  • The operating system of the Web server running the ActiveDirectoryMembershipProvider instance must support concurrent binds (for example, Windows Server 2003).

When a concurrent bind is used, the last logon date for the user is not updated in the directory; therefore, the LastLoginDate property cannot be relied on.

Leading and trailing spaces are trimmed from the username parameter.

Windows 98, Windows Server 2000 SP4, Windows Server 2003, Windows XP Media Center Edition, Windows XP Professional x64 Edition, Windows XP SP2, Windows XP Starter Edition

The Microsoft .NET Framework 3.0 is supported on Windows Vista, Microsoft Windows XP SP2, and Windows Server 2003 SP1.

.NET Framework

Supported in: 3.0, 2.0

Community Additions

ADD
Show:
© 2014 Microsoft