In reality I'm debugging a C# app but since the same command is possible in PowerShell I'm trying there.
I am trying to validate user accounts using the following in PowerShell:
> Add-Type -AssemblyName System.DirectoryServices.AccountManagement
> $ds = New-Object System.DirectoryServices.AccountManagement.PrincipalContext("domain", "<domain>", "<OuDN>", "negotiate", "<username>", "<password>")
> $ds.ValidateCredentials("<username>", "<password>", "negotiate")
The last command always returns false, I've verified the credentials are correct by logging in with them. We've turned of NTLM authentication in the environment, and i can see each time i execute ValidateCredentials()
an NTLM connection by lsass.exe is blocked (event ID 4002 in event viewer). I turned on Kerberos logging but no events are generated in the event viewer when trying to validate. This is turn leads me to believe it doesn't even attempt Kerberos authentication, but i might be wrong here.
I've verified that SPNs for the computer exists with setspn -L
, and since Kerb authentication works everywhere else in the system I'm not sure it's a misconfiguration.
Update:
I found a solution but not posting it as answer yet since i still have some weird behavior. I added @<domain>
to the username and this works in the C# app I'm debugging, but running the exact same command in PowerShell still returns false, although now i get a KDC_ERR_PREAUTH_FAILED
in the event viewer.