调用 ValidateCredentials 结果为假(已知正确 Username/Password),域服务器上显示事件 4625
Calling ValidateCredentials Results In False (With Known Correct Username/Password), Event 4625 Showing On Domain Server
我正在域上下文中对 PrincipalContext.ValidateCredentials 进行非常简单的调用,但由于未知原因导致了假阴性。
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "DOMAINNAME"))
{
bool isValid = pc.ValidateCredentials("username", "password");
Console.WriteLine(isValid);
}
当我在AD服务器上查看安全审核时,它显示事件ID为4625的审核失败事件,声称用户没有登录机器的权限。我可以使用这些凭据登录到加入该域的终端服务器。在此之前,我 运行 应用程序所在的帐户已成功审核,并且我能够成功验证其他用户的凭据。但是,我无法在成功验证的帐户和未成功验证的帐户之间找到任何区别,它们属于所有相同的域安全组。
An account failed to log on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed:
Security ID: NULL SID
Account Name: [REDACTED]
Account Domain:
Failure Information:
Failure Reason: User not allowed to logon at this computer.
Status: 0xC000006E
Sub Status: 0xC0000070
Process Information:
Caller Process ID: 0x0
Caller Process Name: -
Network Information:
Workstation Name: [REDACTED]
Source Network Address: [REDACTED]
Source Port: 62667
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): -
Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request.
- Transited services indicate which intermediate services have participated in this logon request.
- Package name indicates which sub-protocol was used among the NTLM protocols.
- Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
我似乎在这里失去了理智,我们将不胜感激任何可以提供的帮助。如果此时存在,我会考虑使用 PrincipalContext 的替代方案。
正如您在 中确认的那样,用户帐户被绑定到一组特定的计算机,其中不包括 DC 服务器,这就是您的 ValidateCredentials 无法正常工作的原因。
@Am_I_Helpful Yes, you're exactly right, that is the issue. If I
change the value for the user to log on to all servers, it works
correctly and returns true. I guess my understanding of how
ValidateCredentials works in the domain context isn't correct, I
assumed if it was a valid, unlocked account it would return true. They
actually need the domain server in their Log On to server list?
是的,如果您要检查凭据(身份验证),那么您确实需要在用户的登录工作站系统列表中包含该域的域控制器!
我正在域上下文中对 PrincipalContext.ValidateCredentials 进行非常简单的调用,但由于未知原因导致了假阴性。
using (PrincipalContext pc = new PrincipalContext(ContextType.Domain, "DOMAINNAME"))
{
bool isValid = pc.ValidateCredentials("username", "password");
Console.WriteLine(isValid);
}
当我在AD服务器上查看安全审核时,它显示事件ID为4625的审核失败事件,声称用户没有登录机器的权限。我可以使用这些凭据登录到加入该域的终端服务器。在此之前,我 运行 应用程序所在的帐户已成功审核,并且我能够成功验证其他用户的凭据。但是,我无法在成功验证的帐户和未成功验证的帐户之间找到任何区别,它们属于所有相同的域安全组。
An account failed to log on.
Subject: Security ID: NULL SID Account Name: - Account Domain: - Logon ID: 0x0
Logon Type: 3
Account For Which Logon Failed: Security ID: NULL SID Account Name: [REDACTED] Account Domain:
Failure Information: Failure Reason: User not allowed to logon at this computer. Status: 0xC000006E Sub Status: 0xC0000070
Process Information: Caller Process ID: 0x0 Caller Process Name: -
Network Information: Workstation Name: [REDACTED] Source Network Address: [REDACTED] Source Port: 62667
Detailed Authentication Information: Logon Process: NtLmSsp Authentication Package: NTLM Transited Services: - Package Name (NTLM only): - Key Length: 0
This event is generated when a logon request fails. It is generated on the computer where access was attempted.
The Subject fields indicate the account on the local system which requested the logon. This is most commonly a service such as the Server service, or a local process such as Winlogon.exe or Services.exe.
The Logon Type field indicates the kind of logon that was requested. The most common types are 2 (interactive) and 3 (network).
The Process Information fields indicate which account and process on the system requested the logon.
The Network Information fields indicate where a remote logon request originated. Workstation name is not always available and may be left blank in some cases.
The authentication information fields provide detailed information about this specific logon request. - Transited services indicate which intermediate services have participated in this logon request. - Package name indicates which sub-protocol was used among the NTLM protocols. - Key length indicates the length of the generated session key. This will be 0 if no session key was requested.
我似乎在这里失去了理智,我们将不胜感激任何可以提供的帮助。如果此时存在,我会考虑使用 PrincipalContext 的替代方案。
正如您在
@Am_I_Helpful Yes, you're exactly right, that is the issue. If I change the value for the user to log on to all servers, it works correctly and returns true. I guess my understanding of how ValidateCredentials works in the domain context isn't correct, I assumed if it was a valid, unlocked account it would return true. They actually need the domain server in their Log On to server list?
是的,如果您要检查凭据(身份验证),那么您确实需要在用户的登录工作站系统列表中包含该域的域控制器!