We use Active Directory Application Mode (ADAM) and .NET framework 4.0.
We call PrincipalContext.ValidateCredential with a valid user name (and a non-empty password) but a string.empty password and the method return true.
If we call with an invalid user name it returns False. If we call with a valid user name but a non-null/non-empty password it returns False. If we use a Null password it returns an exception.
According to the documentation, a call to "PrincipalContext.ValidateCredential" can return true with user name AND password set to NULL (http://msdn.microsoft.com/en-us/library/bb154889%28v=vs.100%29.aspx).
It's easy to validate the parameter and prevent a Null password but our security department required a more robust solution : we consider this is a bug. Since it's possible to construct a valid PrincipalContext that show that behavior what I'm looking for is a fix of the API so in all use case, if a user name is provided then the ValidateCredentials call return True only if the password match.
I'll post code sample in few