user password validating

cooky4 · July 3rd, 2003, 01:29 PM

i am writing my first program in VB 6.0 and they are asking for a password verification against the password in Active Directory.
I just need to go out to the database in Active directory and grab the password of the user whose name appears in a textbox. When the user enters a password into another textbox i just want to make sure to validate that password and that this is the correct user.
I hope this makes sense.

Thanks
Doug

bveerendrakumar · July 8th, 2003, 05:12 AM

Do the following

Note:
1. Substitute ur values at #places(For ex: if ur field name in databse is usrPwd then replace rs("Fieldname#").value as rs("usrpwd").value

2. Assume that ur passwd field text box name is txtPasswd

Private Function FindUser() as Boolean
    dim Cn as new Adodb.connection
    dim Rs as recordset
    cn.open("Dsn=#;Uid=#;Pwd=#;")
    set rs=new recordset
    rs.open("Sqlstatement#",cn,adopenstatic,adlockopti mistic)
    if trim(txtPasswd.text)=rs("Fieldname#").value then
         FindUser=True
    else
         FindUser=False
    endif
if cn.state then 'checking the connection wether it is opened
   cn.close
end if
set cn=nothing
if rs.state then
   rs.close
end if
set rs=nothing
exit funtion
ErrHand:
   msgbox err.description
end function

'Call this function from ur valid events to check wether pwd is correct or not, if password exists it returns true else it returns false

Hope this solution help you

B.V.Kumar

pgtips · July 8th, 2003, 06:46 AM

Doug, it just ain't that easy I'm afraid. The main stumbling block is that you cannot retrieve any user's Windows password through any means. Think about it, its a hacker's dream if you could write a program to look up a user and get his/her password. Even Windows doesn't know what the actual passwords are because it uses a common cryptographic technique known as "hashing". The closest you could attempt is to find out which hashing algorithm Windows uses, generate the hash yourself from the password input, then compare it to the hash stored by Windows...quite an ask for your first VB program.

Nobody does this sort of thing. A fundamental of the windows user interface is that you only log-on once - how fed-up would you be if every time you opened a program it asked you to provide your password again?

Sorry to be unhelpful, but I think that whoever is asking you to provide this password check needs to re-think exactly what they're trying to achieve by this - and then find a better way to achieve that.

regards
Phil

cooky4 · July 9th, 2003, 08:18 AM

Thanks for the suggestions.
doug

martenrune · July 18th, 2003, 06:55 AM

Well it's not easy but...

It's true, you can't get the password from the domaincontroller or whatever but...

You can send: username, presumedPWD and domain to be validated by the sucuritycomponents in windows. This way you will validate the user without knowing his or hers password. Note though this is like logging in on a mashine, after X failed attempt it's likely that the account is locked/disabled!

Yours Truly MÃ¥rten :-)

Yours sincerely Marten

xgbnow · July 18th, 2003, 08:24 AM

I agree with pgtips

"Nobody does this sort of thing. A fundamental of the windows user interface is that you only log-on once - how fed-up would you be if every time you opened a program it asked you to provide your password again?"

I think you need to define what they are trying to accomplish.

In many of my programs I use a username and password. Mainly it is to provide various levels of access. If a user opens the program without logging on then they have limits or I may have an engineering level of access that allows certain configuration settings. It has helped to make my programs more dynamic and configurable. But the username and password scheme that I am using is independent of Windows security. I use a level of encryption and have created a dll and a standard interface. Over time we have developed a method of controlling access to forms by using the HelpContextID property to make the menus dynamic based on user login and group.

So, I think it is important to find out the "Why" as well as the "What".

Larry Asher

pgtips · August 14th, 2003, 07:33 AM

Doug, I don't know if you're still interested in this but, for the sake of the archive, I stumbled across this interesting piece of code which uses the LogonUser WinAPI function to validate a given user name and password (note, though, that it does not get the current password of the user)

Code:

Private Declare Function LogonUser Lib "Advapi32" Alias "LogonUserA" (ByVal _
    lpszUserName As String, ByVal lpszDomain As String, _
    ByVal lpszPassword As String, ByVal dwLogonType As Long, _
    ByVal dwLogonProvider As Long, phToken As Long) As Long
Private Declare Function CloseHandle Lib "kernel32" (ByVal hObject As Long) As _
    Long
Const LOGON32_PROVIDER_DEFAULT = 0&
Const LOGON32_LOGON_NETWORK = 3&

' Check whether a username/password pair is correct
'
' if DOMAIN is omitted, it uses the local account database
' and then asks trusted domains to search their account databases
' until it finds the account or the search is exhausted
' use DOMAIN="." to search only the local account database

Private Function CheckWindowsUser(ByVal UserName As String, _
    ByVal Password As String, Optional ByVal Domain As String) As Boolean

    Dim hToken As Long, ret As Long

    ' provide a default for the Domain name
    If Len(Domain) = 0 Then Domain = vbNullString
    ' check the username/password pair
    ' using LOGON32_LOGON_NETWORK delivers the best performance
    ret = LogonUser(UserName, Domain, Password, LOGON32_LOGON_NETWORK, _
        LOGON32_PROVIDER_DEFAULT, hToken)

    ' a non-zero value means success
    If ret Then
        CheckWindowsUser = True
        CloseHandle hToken
    End If

End Function

BTW I found it on http://www.vb2themax.com

rgds
Phil

voimap · November 4th, 2003, 04:46 AM

I agree with pgtipsb also!

It's not easy to get the active directory accounts and their passwords. I got a same situation, my application would like to check if user and password existing in Active Directory. And I tried to run the code of pgtips but it didn't run. The LogonUser function always return O, means failed. I also tried to search on Microsoft but I couldn't fix that bug.

My Domain Controller run on Advance Server 2000, and Client run on Professional Windows 2000.

Does any guy have solutions to solve this?

Thanks,

Thanh.

jeffreyc · November 8th, 2004, 05:35 PM

Hello Phil, If I really need to get password hash of a user from Active Directory, how can I do that. It seems that it is not in user information fetched from AD. Thank you. Jeffrey

Quote:

quote:Originally posted by pgtips
Doug, it just ain't that easy I'm afraid. The main stumbling block is that you cannot retrieve any user's Windows password through any means. Think about it, its a hacker's dream if you could write a program to look up a user and get his/her password. Even Windows doesn't know what the actual passwords are because it uses a common cryptographic technique known as "hashing". The closest you could attempt is to find out which hashing algorithm Windows uses, generate the hash yourself from the password input, then compare it to the hash stored by Windows...quite an ask for your first VB program.

Nobody does this sort of thing. A fundamental of the windows user interface is that you only log-on once - how fed-up would you be if every time you opened a program it asked you to provide your password again?

Sorry to be unhelpful, but I think that whoever is asking you to provide this password check needs to re-think exactly what they're trying to achieve by this - and then find a better way to achieve that.

regards
Phil

nemovyoh · April 21st, 2005, 09:17 PM

The code provided by pgtips is not working, it always return TRUE even if i pass in wrong information to it

....any idea on how to checking whether current user is the valid Window user by prompting them to key in they login name and password again ?