Get UserPassword in ActiveDirectory

  • Thread starter Thread starter ruca
  • Start date Start date
R

ruca

Hi,

I have a Login Page that have Active Directory permissions. I can get the
domain and the user that are trying to access application, but I need to
"know" the password that user insert, because I have to compare with another
password that I have in a Database. Only if their are equal, user can access
web application.

How can I know the password entered by user. I use this code to know user:

----------------------------------------------------------------------------
-------
Dim wi As System.Security.Principal.WindowsIdentity
wi = System.Security.Principal.WindowsIdentity.GetCurrent()
Dim Domain_Slash_User As String = wi.Name()

Dim del As String = "\"
Dim user As String = Domain_Slash_User.Split(del.ToCharArray())(1)
Dim domain As String = Domain_Slash_User.Split(del.ToCharArray())(0)
 
Hi ruca:

There is no way to pull a password out of active directory, or ask the
browser what password a user typed into the authentication dialog.
It's basically good security to keep these things hidden.

The only way to get a password is to prompt the user with your
controls and process the login with your code. One way to do this in
an active directory environment is to use Forms authentication but
authenticate against AD.

See "How To: Use Forms Authentication with Active Directory":
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dnnetsec/html/SecNetHT02.asp


HTH,
 
I have a Login Page that have Active Directory permissions. I can get the
domain and the user that are trying to access application, but I need to
"know" the password that user insert, because I have to compare with another
password that I have in a Database. Only if their are equal, user can access
web application.

How can I know the password entered by user. I use this code to know user:
Click to expand...

You CANNOT look up a password in Active Directory. Ever. If you must compare
passwords because you have them stored in your own database somewhere then
you'll have to prompt the user for it.
 
For the record,
I've already have a solution for this case.
What I've done is using the LogonUser API, where I pass the user, the
domain, and then I pass the password that I have stored in my DB.
Now, what happens?

Very simple answer:
This LogonUser returns true or false. Like is easy to see if return true
means that the password stored in DB is equal of the ActiveDirectory, then
if false the user don't have permissions to see the page.
 
For the record,
I've already have a solution for this case.
What I've done is using the LogonUser API, where I pass the user, the
domain, and then I pass the password that I have stored in my DB.
Now, what happens?

Very simple answer:
This LogonUser returns true or false. Like is easy to see if return true
means that the password stored in DB is equal of the ActiveDirectory, then
if false the user don't have permissions to see the page.
Click to expand...

For reference, TESTING a password and GETTING a password are two different
things.
 
Back
Top