How to validate user credentials if account is a member of AD Protected Users group?

  • Thread starter Thread starter Oleksii Diachok
  • Start date Start date
O

Oleksii Diachok

Guest
Hi.

What API can I use to validate user name and password if user is a member of the AD Protected Users group on Windows Server 2012 R2 or higher.

I tried using:

  1. DirectoryEntry.NativeObject
  2. PrincipalContext.ValidateCredentials with different ContextOptions.


DirectoryEntry.NativeObject throws DirectoryServicesCOMException (0x8007052E) "The user name or password is incorrect".

PrincipalContext.ValidateCredentials simply returns FALSE.

Both APIs work fine if I remove user from AD "Protected Users" group.

According to this article accounts that are members of the Protected Users group that authenticate to a Windows Server 2012 R2 domain are unable to:

  1. Authenticate with NTLM authentication.
  2. Use DES or RC4 encryption types in Kerberos pre-authentication.


Probably, neither DirectoryEntry.NativeObject nor PrincipalContext.ValidateCredentials support Kerberos protocol. Or I miss something.

For now, the only thing that seems to work is LogonUser function. But it requires P/invoke.

Is there a trick, a workround or other API that I can use to validate user name and password for user account that is a member of the Protected Users group?

Continue reading...
 

Similar threads

W
how to convert AD User SID to NT account ( Domain\User Account )
Replies
0
Views
87
Will .H
W
K
AdsOpenObject gives error code 0x8007052e which means invalid credentials
Replies
0
Views
210
Kalikousik
K
I
How to translate or query SAM account name of user using UPN name from credential provider when domain is offline.
Replies
0
Views
237
InterGalaticAvenger
I
I
ARR as reverse-proxy authenticating itself to backend nodes with a Client Certificate
Replies
0
Views
329
IIS
I
I
ARR authenticating itself to backend with client certificate on re-routing requests
Replies
0
Views
389
IIS
I
Back
Top