/// <summary> /// Verify User Name, Password, User Status and Policy against Active Directory /// </summary> public ActiveDirectoryCredentialValidationResult VerifyCredential(string userName, string password) { var login = CanonicalizeUserName(userName); try { _logger.Debug($"Verifying user {login} credential and status at {_configuration.Domain}"); using (var connection = new LdapConnection(_configuration.Domain)) { connection.Credential = new NetworkCredential(login, password); connection.Bind(); } _logger.Information($"User {login} credential and status verified successfully at {_configuration.Domain}"); var checkGroupMembership = !string.IsNullOrEmpty(_configuration.ActiveDirectory2FaGroup); if (checkGroupMembership) { using (var ctx = new PrincipalContext(ContextType.Domain, _configuration.Domain, login, password)) { using (var user = UserPrincipal.FindByIdentity(ctx, login)) { //user must be member of security group if (checkGroupMembership) { _logger.Debug($"Verifying user {login} is member of {_configuration.ActiveDirectory2FaGroup} group"); var isMemberOf = user.IsMemberOf(ctx, IdentityType.Name, _configuration.ActiveDirectory2FaGroup); if (!isMemberOf) { _logger.Information($"User {login} is NOT member of {_configuration.ActiveDirectory2FaGroup} group"); _logger.Information($"Bypass second factor for user {login}"); return(ActiveDirectoryCredentialValidationResult.ByPass()); } _logger.Information($"User {login} is member of {_configuration.ActiveDirectory2FaGroup} group"); } } } } return(ActiveDirectoryCredentialValidationResult.Ok()); //OK } catch (LdapException lex) { var result = ActiveDirectoryCredentialValidationResult.KnownError(lex.ServerErrorMessage); _logger.Warning(lex.ServerErrorMessage); _logger.Warning($"Verification user {login} at {_configuration.Domain} failed: {result.Reason}"); return(result); } catch (Exception ex) { _logger.Error(ex, $"Verification user {login} at {_configuration.Domain} failed."); return(ActiveDirectoryCredentialValidationResult.UnknowError()); } }
/// <summary> /// Verify User Name, Password, User Status and Policy against Active Directory /// </summary> public ActiveDirectoryCredentialValidationResult VerifyCredential(string userName, string password) { if (string.IsNullOrEmpty(userName)) { throw new ArgumentNullException(nameof(userName)); } if (string.IsNullOrEmpty(password)) { _logger.Error($"Empty password provided for user '{userName}'"); return(ActiveDirectoryCredentialValidationResult.UnknowError("Invalid credentials")); } var user = LdapIdentity.ParseUser(userName); try { _logger.Debug($"Verifying user '{user.Name}' credential and status at {_configuration.Domain}"); using (var connection = new LdapConnection(_configuration.Domain)) { connection.Credential = new NetworkCredential(user.Name, password); connection.Bind(); _logger.Information($"User '{user.Name}' credential and status verified successfully at {_configuration.Domain}"); var domain = LdapIdentity.FqdnToDn(_configuration.Domain); var isProfileLoaded = LoadProfile(connection, domain, user, out var profile); if (!isProfileLoaded) { return(ActiveDirectoryCredentialValidationResult.UnknowError("Unable to load profile")); } var checkGroupMembership = !string.IsNullOrEmpty(_configuration.ActiveDirectory2FaGroup); if (checkGroupMembership) { var isMemberOf = IsMemberOf(connection, profile.BaseDn, user, _configuration.ActiveDirectory2FaGroup); if (!isMemberOf) { _logger.Information($"User '{user.Name}' is NOT member of {_configuration.ActiveDirectory2FaGroup} group"); _logger.Information($"Bypass second factor for user '{user.Name}'"); return(ActiveDirectoryCredentialValidationResult.ByPass()); } _logger.Information($"User '{user.Name}' is member of {_configuration.ActiveDirectory2FaGroup} group"); } var result = ActiveDirectoryCredentialValidationResult.Ok(); result.DisplayName = profile.DisplayName; result.Email = profile.Email; if (_configuration.UseActiveDirectoryUserPhone) { result.Phone = profile.Phone; } if (_configuration.UseActiveDirectoryMobileUserPhone) { result.Phone = profile.Mobile; } return(result); } } catch (LdapException lex) { var result = ActiveDirectoryCredentialValidationResult.KnownError(lex.ServerErrorMessage); _logger.Warning($"Verification user '{user.Name}' at {_configuration.Domain} failed: {result.Reason}"); return(result); } catch (Exception ex) { _logger.Error(ex, $"Verification user '{user.Name}' at {_configuration.Domain} failed."); return(ActiveDirectoryCredentialValidationResult.UnknowError()); } }