node.js – Active Directory authentication with NodeJS

node.js – Active Directory authentication with NodeJS

Because this is the first question that pops up in Googles search result, and it took me quite some time to figure out how to use Active Directory Authentication, Im going to share the solution from This tutorial.

It was very easy to understand and implement comparing to other examples Ive found on the internet:

npm install --save activedirectory

// Initialize
var ActiveDirectory = require(activedirectory);
var config = {
    url: ldap://,
    baseDN: dc=domain,dc=com
var ad = new ActiveDirectory(config);
var username = [email protected];
var password = password;
// Authenticate
ad.authenticate(username, password, function(err, auth) {
    if (err) {
        console.log(ERROR: +JSON.stringify(err));
    if (auth) {
    else {
        console.log(Authentication failed!);

The most difficult part was to figure out what suffix to use for the username.

I was getting the error:

ERROR: {lde_message:80090308: LdapErr: DSID-0C090400, comment:
AcceptSecurityContext error, data 52e, v1db1u0000,lde_dn:null}

Before finally setting the right suffix, for me it was something like:
var username = [email protected]

I got this working by first getting the username that made the request with npm:express-ntlm. Then with this information, I use npm:activedirectory to query Active Directory for that users details.

    domain: process.env.DOMAIN,
    domaincontroller: process.env.DOMAINCONTROLLER


app.use(/, authenticate, require(./routes/index));

Inside my authenticate middleware I now have access to req.ntlm which contains

{ DomainName: ...,
  UserName: ...,
  Workstation: ...,
  Authenticated: true }

I setup the ActiveDirectory object, and note bindDN and bindCredentials instead of username and password:

var ad = new ActiveDirectory({
  url: process.env.DOMAINCONTROLLER,
  baseDN: process.env.BASEDN,
  bindDN: process.env.USERNAME,
  bindCredentials: process.env.PASSWORD

Then you can use the ad object like in the npm:activedirectory documentation:

ad.findUser(req.ntlm.UserName, (err, adUser) => {

findUser returns things like first and last name, email address, which is all I needed but you could easily look into groups.

node.js – Active Directory authentication with NodeJS

The configuration object specifies a 10 millisecond timeout. That seems pretty short. Were you going for a 10 second timeout?

JS Documentation

Are you using the LdapConnection.Timeout object in C#? That one expects seconds.

C# Documentation

Leave a Reply

Your email address will not be published.