I have an Asp.net website built in C # using forms authentication. We use Active Directory to authenticate users, and everything works fine. But today we realized that to enter any account you can log in simply by entering a username and click "Login" without entering a password! This only happens in a localhost development environment (thank god!), But I don't like it ...
I have never seen such behavior before, and I would really like to explain how this can happen. Is this a developer feature created by Microsoft? Or did someone in my office backdoor without telling the others? I will explore this last option further, but until then - has anyone encountered this before?
Thank you very much in advance!
EDIT:
This means that authentication returns true for every username I choose for it - with an empty password. Other passwords return false.
using (var context = new PrincipalContext(ContextType.Domain))
{
result = context.ValidateCredentials(username, password);
}
PrincipalContext default - System.DirectoryServices.AccountManagement
source
share