ActiveDirectoryMembershipProvider.ValidateUser(String, String) Method


Verifies that the specified user name and password exist in the Active Directory data store.

 override bool ValidateUser(System::String ^ username, System::String ^ password);
public override bool ValidateUser (string username, string password);
override this.ValidateUser : string * string -> bool
Public Overrides Function ValidateUser (username As String, password As String) As Boolean



The name of the user to validate.


The password for the specified user.


true if the specified username and password are valid; otherwise, false. If the user specified does not exist in the Active Directory data store, the ValidateUser(String, String) method returns false.


The ValidateUser(String, String) method is called before the ActiveDirectoryMembershipProvider instance is initialized.


This method is called by the Membership class to validate user credentials against the Active Directory data store.

If the EnablePasswordReset property is true and the supplied credentials are valid, the user's tracking counters for bad password answers are reset.

The ValidateUser method may return false when the correct credentials are supplied, under the following circumstances:

  1. The user account was locked out by the directory server because of too many failed logon attempts. The user will not be able to log on until the directory's lockout duration passes.

  2. If the EnablePasswordReset property is true, the user account will be locked if the user supplied a bad password answer too many times. The user's account will unlock after the time specified in the PasswordAnswerAttemptLockoutDuration property has passed.

  3. The user must exist in the container specified in the connection string. Valid credentials are supplied for a user account located in a different container or in a different domain. The user must exist in the container specified in the connection string.

When validating a user, the provider validates the credentials by connecting to the Active Directory data store using the specified user name and password, not the credentials configured in the application configuration file.

However, the ActiveDirectoryMembershipProvider instance will connect to the directory using the configured credentials for the following reasons.

  • To confirm that a user exists within the search scope as determined by the ActiveDirectoryMembershipProvider instance's connection string. The provider uses a subtree search starting at the search point specified in the connection string to determine whether a user exists. The user must exist in the specified container. Credentials that are valid outside the connection string's specified container will not be validated. See the ActiveDirectoryMembershipProvider class topic for more information about connection strings.

  • If the EnablePasswordReset property is true, the ActiveDirectoryMembershipProvider instance will use the configured credentials to load the user instance to check whether the user has been locked out because he or she has made too many failed attempts to change the password answer.


Connecting to an Active Directory domain controller with the "Guest" account enabled is a potential security threat. All validation attempts made on an Active Directory domain controller with the "Guest" account enabled will succeed. To improve security when using an Active Directory domain controller, you should disable the "Guest" account on the domain controller.

The ActiveDirectoryMembershipProvider instance will attempt a concurrent bind against Active Directory when one of the following conditions is met:

In addition, for a concurrent bind to be made, the following conditions must be true:

  • The directory server must be running on Windows Server 2003.

  • The operating system of the Web server running the ActiveDirectoryMembershipProvider instance must support concurrent binds (for example, Windows Server 2003).

When a concurrent bind is used, the last logon date for the user is not updated in the directory; therefore, the LastLoginDate property cannot be relied on.

Leading and trailing spaces are trimmed from the username parameter.

Applies to

See also