how to tell why integrated windows authentication fails in asp.net_问答_开发者

how to tell why integrated windows authentication fails in asp.net

开发者 https://www.devze.com 2022-12-15 15:49 出处：网络

In our asp.net intranet application we are using windows authentication to authenticate the users. We have recently had a request to give the user a reason for why they cannot login.For example, tell

In our asp.net intranet application we are using windows authentication to authenticate the users.

We have recently had a request to give the user a reason for why they cannot login. For example, tell the user they can't login because their password has expired vs they can't login because their account is locked out.

When an account is locked out or the password has expired, the user cannot log on to the application. IIS will deny the access and redirect the user to the Access Denied (401) page after 3 login attempts. As the username is not passed to web application when IIS authentication fails, we won’t be able to check if the account is locked out or the password has expired.

Any suggestions on how to get this information? Are we going 开发者_如何学编程to have to move to Forms authentication with an AD provider?

The simple solution to this is to move to forms authentication. But being that I know you did not want to hear that and it is not allowed or a viable solution your next option is to:

Look into System.DirectoryServices

Below I'm just pasting some quick code you can play with. Notice how to determine if a user is locked out or not. This is vb.net but can be easily changed to C#.

  Try
            Dim dirEntry As DirectoryEntry
                     dirEntry = New DirectoryEntry("LDAP://yourDomainInfoHere/OU=Users,OU=YourDomain,OU=YourOU,OU=CORP,DC=YourDC,DC=com", "ExecuateAsUser", "Password")

            Dim entries As DirectoryEntries = dirEntry.Children
            ' Set login name and full name. 
            Dim newUser As DirectoryEntry = entries.Add("CN=JONNY BOY", "User")

            newUser.Properties("sAMAccountName").Add("jboy")
            newUser.CommitChanges()
            newUser.Invoke("SetPassword", "hi2343145gfdtgwdt")
            Dim flags As Integer

            flags = CInt(newUser.Properties("userAccountControl").Value)

            'enable user below
            newUser.Properties("userAccountControl").Value = flags And Not &H2

            'disable user below
            newUser.Properties("userAccountControl").Value = flags Or &H1


            'lockout property
            Dim l As Long
            l = CType(newUser.Properties("lockoutTime").Value, Long)

            If l <> 0 Then
                'account is locked out

                'so how do we unlock it?
                'we unlock it by setting it to 0
                newUser.Properties("lockoutTime").Value = 0
            Else
                'account is 0 it is NOT locked out

            End If

            newUser.CommitChanges()

            Dim j As DirectoryEntry = entries.Find("CN=JONNY BOY", "User")
            j.Properties("mail").Value = "jon@yahoo.com"
            j.CommitChanges()
        Catch ex As Exception
            Throw ex
        End Try