Authenticating against Windows Network: System.DirectoryServices.DirectorySearcher or LogonUser(..)

[Zeno Lee]

I'm trying to authenticate a user against a windows network. I want it to
work across any kind of windows network from NT 4.0 up to Windows 2003 ADS.

So far I've been using DirectoryEntry and DirectorySearcher and doing a
search on Active Directory. With the addition of a customer on an NT 4.0
network, I've had to add DllImport using LogonUser() from advapi32.dll in
addition to the directory search.

To simplify my code, Is it possible to just use LogonUser from advapi32.dll
in any scenario? If LogonUser is called in an Active Directory Network,
does it do a directory search? Is this LogonUser Safe to keep around in
case one of my clients goes to a pure Windows 2003 network?

 

[Joe Kaplan \(MVP - ADSI\)]

LogonUser doesn't use an LDAP search under the hood like the
DirectorySearcher does. However, if you just want to authenticate,
LogonUser will work. It requires that the user actually has rights to logon
locally, but otherwise I'd suggest you use that if you can.

You actually don't need to use the DirectorySearcher to authenticate a user
either. If you want to use LDAP, a bind using the DirectoryEntry is
sufficient.

Joe K.

 

[Rhett Gong [MSFT]]

Hi Zeno,
I agree with the answer from Joe.
In addition, if you are developing a ad admin software and user could to
perform operations on AD after being authenticated. using DirectoryEntry
with proper AuthenticationType is a good choice.

For further information, please post to security/AD newsgroup. and we will
follow up you there.

Thanks,
Rhett Gong [MSFT]
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

This posting is provided "AS IS" with no warranties and confers no rights.

 

[Pavel Lebedinsky]

http://support.microsoft.com/default.aspx?scid=kb;en-us;841699
http://support.microsoft.com/default.aspx?scid=kb;en-us;180548