Pass AD password from Mvc web to LdapConnection object securely


Authenticate users to Active Directory via forms-style authentication from an MVC app.


I will use SSL to get the credentials from the user to the authentication controller via an https request. This should keep the password secure during transport. To validate the credentials I will use the LdapConnection.Bind method. Example:

public bool ValidateCredentials(string username, SecureString password)
        bool valid = false;
        var creds = new NetworkCredential(username, password, DomainName);
        var identifier = new LdapDirectoryIdentifier("domainController");
        LdapConnection connection = null;
            connection = new LdapConnection(identifier, creds, AuthType.Kerberos);
            valid = true;
        catch (Exception e)
        if(connection != null) connection.Dispose();
        return valid;

Using SecureString, this should protect the password while connecting to Active Directory.

The Dilemma

When I get the password from the https request and bind it to a controller, it will be passed as a regular string. I will then have to convert it to a SecureString in order to pass it to my ValidateCredentials function. Doing this will create a vulnerability since the password will be in plain text for a short period of time.

How can I keep that string secure the entire time and am I overthinking this?

I'm using PrincipalContext for my non-password related queries but I don't want to use the ValidateCredentials method of that class because it appears that strings are passed as regular string parameters.