Re: VB6 & Active Directory

The OP asked "Is it possible to verify AD passwords for use with 2.", where
"2. User logs in the app using his AD username & password.". I therefore
understood him to want to validate a given username + password pair inside
of his application, not as wanting to to manipulate AD properties from
within his application.

As of W2K, a DC authenticates domain accounts "using AD information" via
Kerberos. Kerberos does not pass passwords across the network, rather it
uses a "double-encryption technique" (that's very sloppy I know) to verify
that both parties know the same shared secret, without either party having
to reveal that secret. That validation produces a ticket granting ticket
that is used for all further authentication purposes, so that applications
never need to know anything about passwords. This is what makes it possible
to replace passwords with smartcards, SecurId, biometric devices or the
like.

"Tony Proctor" <tony_proctor@xxxxxxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:ukQJqzE1HHA.3768@xxxxxxxxxxxxxxxxxxxxxxx
There is no such thing as an AD password

It's probably a "word" issue Mark but I would say that term does have some
validity. AD is a just hierarchical database of network-wide objects. As
of
W2K, a domain controller validates domain accounts using AD. Local
accounts
are still validated against the registry-based SAM used pre-W2K. Mostly,
though (with a few exceptions), user management shouldn't have to worry
about that

Coming back to Ivan's question: have you looked at using the "Active DS
Type
Library", e.g. IADsUser, etc. They allows you to browse machines, groups,
users in a group, etc., and manage their properties

Tony Proctor

"Mark Yudkin" <DoNotContactMe@xxxxxxxxxxxxxx> wrote in message
news:emPSJib0HHA.1484@xxxxxxxxxxxxxxxxxxxxxxx
Judging from your question you seemed to be very confused between AD and
security. There is no such thing as an AD password. AD is a directory.
Security is provided by security providers such as Kerberos.

Provided your application understands Windows security, your user doesn't
need to log in. Making a VB6 application understand Windows security is
normally very easy, in the worst case you have to do a bit of COM+
coding,
but that's a piece of cake in VB6 once you've understood the basics. The
usual case in which authentication is needed is web clients, but for that
case IIS provides all the parts you need as part of ASP / ASP.NET.

If your application needs to log in a user, the API is called LogonUser.
Normally such applications should run as services; under Windows 2000 and
earlier, the API must be run from within the SYSTEM TCB.

An appliation prompting a user for a password should use
CredUIPromptForCredentials or CredUICmdLinePromptForCredentials. You can
then call CredUIParseUserName and CredUIConfirmCredentials to validate
the
credentials.

There is no easy way to verify a user's password (I believe Vista added
an
API, but am unsure). You can use the SSPI directly; C code was provided
in
the April 2001 MSDN Magazine, and it may be possible to convert this to
VB6 - you're on your own if you choose to follow this route.

"Ivan Debono" <ivanmdeb@xxxxxxxxxxx> wrote in message
news:OMi$G8C0HHA.464@xxxxxxxxxxxxxxxxxxxxxxx
Hi all!!

A VB6 app must integrate with AD, specifically the user management
part.
Basically this is what needs to be done.

1. App displays list of AD users (this should be easy with the
activeds.tlb)
2. User logs in the app using his AD username & password.

Question...

Is it possible to verify AD passwords for use with 2 as I didn't find
any
relevant method so far???

Thanks,
Ivan







.

Relevant Pages

  • Re: Windows Password Validation
    ... Once set these passwords were correctly authenticated with ... I have a VB 6 routine to validate users' passwords before allowing them ... : Tony Spratt. ...
    (microsoft.public.vb.winapi)
  • Re: [Full-Disclosure] Administrivia: List Compromised due to Mailman Vulnerability
    ... >Subscriber addresses and passwords have been compromised. ... but better is to extract and validate the tail of ...
    (Full-Disclosure)
  • Re: [Full-disclosure] Re: SecurID with Active Directory ?
    ... > passwords, you could use some programmatic method to ... if the exe were ever to escape outside infrastructure controls. ... the application then allowed access to the ftp server and its credentials ... thus allowing the application to validate and run. ...
    (Full-Disclosure)
  • Re: Can I programmatically get passwords for user names?
    ... >logged in as Administrator, ... >passwords for user names? ... Best you can do is validate a password against the SAM and see if ...
    (microsoft.public.win2000.security)
  • RE: passwords in asp pages
    ... and using integrated security for connecting to the database- this will ... remove cleartext passwords from the files. ... grab the raw asp source from the server. ... to facilitate one-on-one interaction with one of our expert instructors. ...
    (Security-Basics)