Sign in to follow this  
Followers 0
jezr74

Password validation against active directory.

17 posts in this topic

Hi All,

I currently have a script that challenges the user for a username and password that is passed on to map drives among other things. I'm trying to add validation to this for incorrect passwords. ie. if the password is incorrect the drive mapping is attempted with the wrong password and you are presented with a windows gui logon. I've had to exit the script and start again.

Is there a way to validate a password against active directory to give an error code rather than it attempt to process the script with incorrect credentials?

I've searched the forums alot for some clues, but have not found anything in this area with AD.

Thanks,

jtsm

#include <GuiConstants.au3>
#include <Inet.au3>
#include <file.au3>
;If Not IsDeclared('WS_CLIPSIBLINGS') Then Global $WS_CLIPSIBLINGS = 0x04000000

$GUIPass=GuiCreate("Logon", 222, 149,(@DesktopWidth-222)/2, (@DesktopHeight-179)/2 , $WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)
$Button_Enter = GuiCtrlCreateButton("CTS Update ", 95, 90, 35, 35,$BS_ICON)
GUICtrlSetState(-1,$GUI_DEFBUTTON)
GUICtrlSetImage (-1, "shell32.dll",162) ;44
$Button_Exit = GuiCtrlCreateButton("Exit", 150, 90, 35, 35,$BS_ICON)
GUICtrlSetImage (-1, "shell32.dll",131) ;27
$LocalVersion=FileGetVersion("C:\windows\system32\winlogon.exe")
$Label_Ver = GuiCtrlCreateLabel("v."& $Localversion, 20, 90, 55, 35)
GUICtrlSetImage (-1, "shell32.dll",135) ;27


;user Logon Screen 
$Input_UserID = GuiCtrlCreateInput("", 80, 30, 120, 20)
GUICtrlSetState(-1, $GUI_FOCUS)
$Input_UserPWD = GuiCtrlCreateInput("", 80, 60, 120, 20,$ES_PASSWORD)
$Label_UserID = GuiCtrlCreateLabel("User Name", 20, 30, 60, 20)
$Label_UserPWD = GuiCtrlCreateLabel("Password", 20, 60, 50, 20)
$Group_Access = GuiCtrlCreateGroup("Authorised Access Only", 10, 0, 200, 140)

ControlFocus ( "Logon", "Authorised Access Only", 6 )

GuiSetState()
While 1
    
    $msg = GuiGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
                Case $msg = $Button_Exit
                    Exit
                    Case $msg = $Button_Enter
                    Do
                        if GUICtrlRead($Input_UserID) = "" And GUICtrlRead($Input_UserPWD) = "" Then Exit
                            ;Case $msg = $Button_Enter
                        Until GUICtrlRead($Input_UserID) > "" And GUICtrlRead($Input_UserPWD) > "" 
        GuiSetState(@SW_HIDE,$GUIPass)

DriveMapDel("j:")
DriveMapAdd("j:","\\SERVER\SHARE", 8,"DOMAIN\"& GUICtrlRead($Input_UserID), ""& GUICtrlRead($Input_UserPWD))    
Exit
    EndSelect
WEnd
GUIDelete($GUIPass)
Exit

Share this post


Link to post
Share on other sites



Hi All,

I currently have a script that challenges the user for a username and password that is passed on to map drives among other things. I'm trying to add validation to this for incorrect passwords. ie. if the password is incorrect the drive mapping is attempted with the wrong password and you are presented with a windows gui logon. I've had to exit the script and start again.

Is there a way to validate a password against active directory to give an error code rather than it attempt to process the script with incorrect credentials?

I've searched the forums alot for some clues, but have not found anything in this area with AD.

Thanks,

jtsm

#include <GuiConstants.au3>
#include <Inet.au3>
#include <file.au3>
;If Not IsDeclared('WS_CLIPSIBLINGS') Then Global $WS_CLIPSIBLINGS = 0x04000000

$GUIPass=GuiCreate("Logon", 222, 149,(@DesktopWidth-222)/2, (@DesktopHeight-179)/2 , $WS_OVERLAPPEDWINDOW + $WS_VISIBLE + $WS_CLIPSIBLINGS)
$Button_Enter = GuiCtrlCreateButton("CTS Update ", 95, 90, 35, 35,$BS_ICON)
GUICtrlSetState(-1,$GUI_DEFBUTTON)
GUICtrlSetImage (-1, "shell32.dll",162) ;44
$Button_Exit = GuiCtrlCreateButton("Exit", 150, 90, 35, 35,$BS_ICON)
GUICtrlSetImage (-1, "shell32.dll",131) ;27
$LocalVersion=FileGetVersion("C:\windows\system32\winlogon.exe")
$Label_Ver = GuiCtrlCreateLabel("v."& $Localversion, 20, 90, 55, 35)
GUICtrlSetImage (-1, "shell32.dll",135) ;27
;user Logon Screen 
$Input_UserID = GuiCtrlCreateInput("", 80, 30, 120, 20)
GUICtrlSetState(-1, $GUI_FOCUS)
$Input_UserPWD = GuiCtrlCreateInput("", 80, 60, 120, 20,$ES_PASSWORD)
$Label_UserID = GuiCtrlCreateLabel("User Name", 20, 30, 60, 20)
$Label_UserPWD = GuiCtrlCreateLabel("Password", 20, 60, 50, 20)
$Group_Access = GuiCtrlCreateGroup("Authorised Access Only", 10, 0, 200, 140)

ControlFocus ( "Logon", "Authorised Access Only", 6 )

GuiSetState()
While 1
    
    $msg = GuiGetMsg()
    Select
        Case $msg = $GUI_EVENT_CLOSE
            ExitLoop
                Case $msg = $Button_Exit
                    Exit
                    Case $msg = $Button_Enter
                    Do
                        if GUICtrlRead($Input_UserID) = "" And GUICtrlRead($Input_UserPWD) = "" Then Exit
                            ;Case $msg = $Button_Enter
                        Until GUICtrlRead($Input_UserID) > "" And GUICtrlRead($Input_UserPWD) > "" 
        GuiSetState(@SW_HIDE,$GUIPass)

DriveMapDel("j:")
DriveMapAdd("j:","\\SERVER\SHARE", 8,"DOMAIN\"& GUICtrlRead($Input_UserID), ""& GUICtrlRead($Input_UserPWD))    
Exit
    EndSelect
WEnd
GUIDelete($GUIPass)
Exit
You can use the WNetAddConnection2 or WNetAddConnection3 API calls. Both have parameters that indicate whether the OS can interact with the user or not if the username/password is wrong. The WNet library is available in Auto3Lib if you're interested.

Auto3Lib: A library of over 1200 functions for AutoIt

Share this post


Link to post
Share on other sites

Opt("RunErrorsFatal", 0)

Func _ValidUserPass( $computer, $username, $password )
    Local $valid = True
    RunAsSet($username, $computer, $password, 0)
    Run(@ComSpec & " /c  echo test", @SystemDir, @SW_HIDE)
    If @error Then $valid = False
    RunAsSet()
    Return $valid
EndFunc

I use the above UDF to validate the user password. I don't remember where in the forum I found it. I think it was done by erifash. The only flaw it won't validate user with blank password.


AutoIt Scripts:NetPrinter - Network Printer UtilityRobocopyGUI - GUI interface for M$ robocopy command line

Share this post


Link to post
Share on other sites

#4 ·  Posted (edited)

I use the above UDF to validate the user password. I don't remember where in the forum I found it. I think it was done by erifash. The only flaw it won't validate user with blank password.

Came across this and found it useful, so I thought I'd post up a current working implementation of it since RunAsSet has gone away.

MsgBox (0, "", _ValidUserPass ("Username", "Domain", "Password"))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc
Edited by exodius

Share this post


Link to post
Share on other sites

Came across this and found it useful, so I thought I'd post up a current working implementation of it since RunAsSet has gone away.

MsgBox (0, "", _ValidUserPass ("Username", "Domain", "Password"))

Func _ValidUserPass($username, $computer, $password)
    Local $valid = True
    RunAs($username, $computer, $password, 0, @ComSpec & " /c  echo test", @SystemDir, @SW_Hide)
    If @error Then $valid = False
    Return $valid
EndFunc
Oh thank you exodius! My old scripts for changing users IP addresses without being an admin work again. \o/ Kudo's mate.

-KegRaider

Share this post


Link to post
Share on other sites

Oh thank you exodius! My old scripts for changing users IP addresses without being an admin work again. \o/ Kudo's mate.

-KegRaider

Share this post


Link to post
Share on other sites

Try this it will return the UserObject if the user ID in in AD and 1 if not

Func _ValidUser($UserNT,$strUserDN,$strDomain)

Local $objDSO = ObjGet("LDAP:")

$objUser = $objDSO.OpenDSObject("LDAP://" & $strUserDN, $strDomain2 & "\" & _

$UserNT, $PWD, $ADS_USE_ENCRYPTION OR $ADS_SECURE_AUTHENTICATION)

If IsObj($objUser)

RETURN $objUser

Else

Return 1

EndIf

EndFunc

Share this post


Link to post
Share on other sites

#8 ·  Posted (edited)

This was driving me nuts for hours, trying to think of a good way to do this, and then I stumbled upon the LogonUser function in advapi32.dll.

This code seems to work for me against the accounts I tried. Not sure what permissions are necessary for the autoit code to validate against the AD you're targetting though :)

Also, use an NT-style domain (like "domain" instead of "domain.com") as I'm not sure if the FQDN will work.

Hope you like it ;)

;Returns 1 for valid credentials, 0 for invalid credentials and sets @error

Func _ValidateUserCreds($d_Account, $d_Password, $d_Domain = @ComputerName)
    const $LOGON32_LOGON_INTERACTIVE = 2;
    const $LOGON32_LOGON_NETWORK = 3;
    const $LOGON32_PROVIDER_DEFAULT = 0;
    const $LOGON32_PROVIDER_WINNT50 = 3;
    const $LOGON32_PROVIDER_WINNT40 = 2;
    const $LOGON32_PROVIDER_WINNT35 = 1;

    $d_LogonUser     =  DllStructCreate("HANDLE")
    DllCall("advapi32.dll","BOOLEAN","LogonUser", "str", $d_Account, "str", $d_Domain, "str", $d_Password, "dword", $LOGON32_LOGON_NETWORK, "dword", 0, "ptr", DllStructGetPtr($d_LogonUser))
    $d_Success = DllStructGetData($d_LogonUser, 1)

    If $d_Success Then
        Return 1
    Else
        SetError(1)
        Return 0
    EndIf
EndFunc
Edited by RulerOf

Share this post


Link to post
Share on other sites

#9 ·  Posted (edited)

If you are running Windows Vista or later you can try my Active Directory UDF (for download please see my signature below).

The _AD_Open function returns detailed error information in case of an error. This and more errors are handled:

525 - user not found

52e - invalid credentials

530 - not permitted to logon at this time

532 - password expired

533 - account disabled

701 - account expired

773 - user must reset password

The validation code could look like:

#include <AD.au3>
; Open Connection to the Active Directory
If _AD_Open($SUserId, $SPassword, $SDNSDomain, $SHostServer, $SConfiguration) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 Then
 MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()
Edited by water

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2016-12-04 - Version 1.2.2.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Another - different - approach.

Joeware offers this little tool to validate a userid.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2016-12-04 - Version 1.2.2.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Ahem:

If you are running Windows Vista or later you can try my Active Directory UDF (for download please see my signature below).

The _AD_Open function returns detailed error information in case of an error. This and more errors are handled:

525 - user not found

52e - invalid credentials

530 - not permitted to logon at this time

532 - password expired

533 - account disabled

701 - account expired

773 - user must reset password

The validation code could look like:

#include <AD.au3>
; Open Connection to the Active Directory
If _AD_Open($SUserId, $SPassword, $SDNSDomain, $SHostServer, $SConfiguration) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
ElseIf @error <= 8 Then
 MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf
; Close Connection to the Active Directory
_AD_Close()

<3 You.

I come into work today only to find you've made my job sooooo much more concise. I owe ya! =)

Thanks so much,

RulerOf

Share this post


Link to post
Share on other sites

Glad to be of service!

The userid/password checking thing is quite new. If you have problems or find a bug please report on the "Help and Support Thread" (you find the link in my signature).

Good luck!


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2016-12-04 - Version 1.2.2.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

#13 ·  Posted (edited)

Hi Water,

I tried your _AD_open function to validate the user credential. But if i give input box blank it accepts and shows logon success. can you help me on this? i have attached my different style of scripts below pls let me know where i am going wrong.

#include <AD.au3>

; Open Connection to the Active Directory

$SUserId = InputBox ("","","")

$SPassword = InputBox("","","","*")

If _AD_Open($SUserId, $SPassword) Then

MsgBox(64, "Active Directory Functions", "Logon was succcessful!")

ElseIf @error <= 8 And $SUserId = "" Or $SPassword = "" Then

MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)

Else

MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _

@CRLF & @CRLF & "Extended error information will be displayed")

Global $aError = _AD_GetLastADSIError()

_ArrayDisplay($aError)

EndIf

; Close Connection to the Active Directory

_AD_Close()

----------------------------------------------------------------------------

#include <AD.au3>

; Open Connection to the Active Directory

$SUserId = InputBox ("","","")

$SPassword = InputBox("","","","*")

If _AD_Open($SUserId, $SPassword) And $SUserId <> "" Or $SPassword <> "" Then

MsgBox(64, "Active Directory Functions", "Logon was not succcessful!")

ElseIf $SUserId = "" Or $SPassword = "" Then

MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")

Else

MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _

@CRLF & @CRLF & "Extended error information will be displayed")

Global $aError = _AD_GetLastADSIError()

_ArrayDisplay($aError)

EndIf

; Close Connection to the Active Directory

_AD_Close()

Edited by Syed23

Thank you,Regards,[font="Garamond"][size="4"]K.Syed Ibrahim.[/size][/font]

Share this post


Link to post
Share on other sites

Hi Syed23,

if you don't specify a UserID then the AD UDF connects using the credentials of the currently logged on user. As this user is already logged in the password already has been verified and you will never get an error.

If you change the example a little bit then it should work fine:

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox("Active Directory Functions", "UserID", "", "", 250, 120)
$SPassword = InputBox("Active Directory Functions", "Password", "", "*", 250, 120)
If $SUserId = "" Or $SPassword = "" Then
    MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
ElseIf _AD_Open($SUserId, $SPassword) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
    ; Close Connection to the Active Directory
    _AD_Close()
ElseIf @error <= 8 Then
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf

Be sure to specify the userid as NetBIOS Login Name e.g. "<DOMAIN>\DJ" or User Principal Name e.g. "DJ@domain.com". Only in this cases you get the extended error information. If you just use the Windows Login Name e.g. "DJ" then you only get @error = 8.


My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2016-12-04 - Version 1.2.2.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

Hi Syed23,

if you don't specify a UserID then the AD UDF connects using the credentials of the currently logged on user. As this user is already logged in the password already has been verified and you will never get an error.

If you change the example a little bit then it should work fine:

#include <AD.au3>
; Open Connection to the Active Directory
$SUserId = InputBox("Active Directory Functions", "UserID", "", "", 250, 120)
$SPassword = InputBox("Active Directory Functions", "Password", "", "*", 250, 120)
If $SUserId = "" Or $SPassword = "" Then
    MsgBox(16, "Active Directory Functions", "User Id or Pass can not be blank!!!")
ElseIf _AD_Open($SUserId, $SPassword) Then
    MsgBox(64, "Active Directory Functions", "Logon was succcessful!")
    ; Close Connection to the Active Directory
    _AD_Close()
ElseIf @error <= 8 Then
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended)
Else
    MsgBox(16, "Active Directory Functions", "The logon was not succcessful!" & @CRLF & @CRLF & "@error: " & @error & ", @extended: " & @extended & _
        @CRLF & @CRLF & "Extended error information will be displayed")
    Global $aError = _AD_GetLastADSIError()
    _ArrayDisplay($aError)
EndIf

Be sure to specify the userid as NetBIOS Login Name e.g. "<DOMAIN>\DJ" or User Principal Name e.g. "DJ@domain.com". Only in this cases you get the extended error information. If you just use the Windows Login Name e.g. "DJ" then you only get @error = 8.

Thanks a lot Water. I am very happy and this makes my credential validation work simple ... Thanks a lot

Thank you,Regards,[font="Garamond"][size="4"]K.Syed Ibrahim.[/size][/font]

Share this post


Link to post
Share on other sites
:x

My UDFs and Tutorials:

Spoiler

UDFs:
Active Directory (2016-08-18 - Version 1.4.6.0) - Download - General Help & Support - Example Scripts - Wiki
OutlookEX (NEW 2016-12-04 - Version 1.2.2.0) - Download - General Help & Support - Example Scripts - Wiki
ExcelChart (2015-04-01 - Version 0.4.0.0) - Download - General Help & Support - Example Scripts
Excel - Example Scripts - Wiki
Word - Wiki
Tutorials:
ADO - Wiki

 

Share this post


Link to post
Share on other sites

This was driving me nuts for hours, trying to think of a good way to do this, and then I stumbled upon the LogonUser function in advapi32.dll.

This code seems to work for me against the accounts I tried. Not sure what permissions are necessary for the autoit code to validate against the AD you're targetting though :)

Also, use an NT-style domain (like "domain" instead of "domain.com") as I'm not sure if the FQDN will work.

Hope you like it ;)

 

;Returns 1 for valid credentials, 0 for invalid credentials and sets @error

Func _ValidateUserCreds($d_Account, $d_Password, $d_Domain = @ComputerName)
    const $LOGON32_LOGON_INTERACTIVE = 2;
    const $LOGON32_LOGON_NETWORK = 3;
    const $LOGON32_PROVIDER_DEFAULT = 0;
    const $LOGON32_PROVIDER_WINNT50 = 3;
    const $LOGON32_PROVIDER_WINNT40 = 2;
    const $LOGON32_PROVIDER_WINNT35 = 1;

    $d_LogonUser     =  DllStructCreate("HANDLE")
    DllCall("advapi32.dll","BOOLEAN","LogonUser", "str", $d_Account, "str", $d_Domain, "str", $d_Password, "dword", $LOGON32_LOGON_NETWORK, "dword", 0, "ptr", DllStructGetPtr($d_LogonUser))
    $d_Success = DllStructGetData($d_LogonUser, 1)

    If $d_Success Then
        Return 1
    Else
        SetError(1)
        Return 0
    EndIf
EndFunc

you are the BEST!!!!!!!!!!

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!


Register a new account

Sign in

Already have an account? Sign in here.


Sign In Now
Sign in to follow this  
Followers 0