UserPrincipal Security. Disabling unwanted smart card prompt?

Question

I've an application with a logon screen for users to authenticate themselves against the domain. I've made use of the System.DirectoryServices.AccountManagement PrincipalContext/UserPrincipal classes for this.

                        PrincipalContext domain = new PrincipalContext(ContextType.Domain, "mydomain");
                    if (domain.ValidateCredentials(UserName, Password))
                    {
                        //do stuff
                    }

This works quite well in the vast majority of cases. However, for a few select people, this "domain.ValidateCredentials" method will automatically prompt for a smart card insertion when it finds that the UserName is valid in the domain. Simply closing the prompt again will allow my application to proceed, but I would much rather get rid of it completely.

I've not had much luck finding a cause/solution for this. Any assistance would be appreciated!

Answer 1

I had the same problem also today. The solution that is working for me: adding [System.DirectoryServices.AccountManagement.ContextOptions]'Negotiate' to the ValidateCredentials method:

domain.ValidateCredentials(UserName, Password, [System.DirectoryServices.AccountManagement.ContextOptions]'Negotiate')

Answer 2

Adding ContextOptions.Negotiate to the call to ValidateCredentials does solve the problem because this forces using Kerberos or NTLM with the username and password, bypassing asking for the SmartCard: https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.accountmanagement.contextoptions?view=dotnet-plat-ext-6.0.

Since a using statement is probably already in the code to reference AccountManagement, it is much more concise code to simply use the enumeration:

domain.ValidateCredentials(UserName, Password, ContextOptions.Negotiate)