PrincipalContext.ValidateCredentials(null, null) does not use credentials supplied in the contructor

[gabeluci]

This came from a question on Stackoverflow: https://stackoverflow.com/questions/50055073/testing-a-principalcontext-using-validatecredentialsnull-null-behaves-une

The documentation of PrincipalContext.ValidateCredentials(String, String) says:

If the username and password arguments are null, the credentials specified in the constructor are validated.

However, this is not what actually happens. It seems to use the default credentials of the running process, rather than the credentials supplied in the constructor of PrincipalContext.

This can be replicated by running a project under credentials that are untrusted on your domain (like a local computer account) then using this code:

        var ctx = new PrincipalContext(ContextType.Domain, "domain.local", "username", "password");
        var valid = ctx.ValidateCredentials(null, null);

Where "username" and "password" are valid on the domain, of course. After this, valid comes out to be false.

I enabled .NET code debugging and found that the credentials passed in the constructor are never passed along during ValidateCredentials. Instead, the null values are passed along (which are then turned into empty strings once they're fed into NetworkCredential).

However, if I run the process under domain credentials, then ValidateCredentials succeeds.

[karelz]

I wonder what is the behavior on .NET Framework? Is it same, or does it do what documentation says?

[tquerec]

The documentation is incorrect. If NULL as passed as username and password the credentials of the current process are validated. .NET core and .NET framework behave the same.

[karelz]

Should we fix the docs then? It is simple - just hit edit button on the linked docs page and submit PR.

[tquerec]

Opened PR with changes dotnet/dotnet-api-docs#92

[gabeluci]

Thanks folks.

[gabeluci]

I just happened to look at this again today, and I realized that the updates made back in April weren't entirely accurate.

Right now, it reads like this:

If the username and password arguments are null, the credentials specified in the constructor are validated. If no credential were specified in the constructor, and the username and password parameters are null, this method validates the default credentials for the current principal.

It still makes reference to the "credentials specified in the constructor". In reality, the credentials specified in the constructor make no difference to this method. It should read something like this:

If the username and password arguments are null, this method validates the default credentials for the current principal.

[karelz]

@gabeluci can you please submit changes directly against docs repo? (there is edit button on doc pages)

[gabeluci]

Sure, I've added dotnet/dotnet-api-docs#580

[tarekgh]

I closing this as it looks the issue is addressed. let's know if this is not the case.