C#: How to connect to Active Directory with SSL enabled?

Question

C#: How to connect to Active Directory with SSL enabled?

The project I am working on will integrate with the customers Active Directory in order to authenticate users. I have been trying to write some code that will retrieve a users password and I understand that Active Directory will only expose the relevant properties over a SSL connection on port 636.

The following code connects programmatically without using SSL but then I can't see the password properties:

static void Main(string[] args)
{
    DirectoryEntry entry = new DirectoryEntry(@"LDAP://<IP>/CN=LDAP Test,CN=Users,DC=customer,DC=com");
    entry.AuthenticationType = AuthenticationTypes.None;
    entry.Username = "CN=LDAP Test,CN=Users,DC=customer,DC=com";
    entry.Password = "<password>";
    if (entry != null)
    {
        foreach (Object propName in entry.Properties.PropertyNames)
        {
            Console.WriteLine((String)propName);
        }
    }
}

When I change the code to use SSL I get an exception stating ;Unknown error (0x80005000)'.

I have enabled SSL on the server hosting Active Directory, installed a Microsoft CA on the same server and obtained a certificate from the CA.

I can connect to the Active Directory over SSL using Apache Directory Studio but that does not show the password properties.

The following code shows what I have been trying to use to connect using SSL:

static void Main(string[] args)
{
    DirectoryEntry entry = new DirectoryEntry(@"LDAPS://<IP>:636/CN=LDAP Test,CN=Users,DC=customer,DC=com");
    entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
    entry.Username = "CN=LDAP Test,CN=Users,DC=customer,DC=com";
    entry.Password = "<password>";
    if (entry != null)
    {
        foreach (Object propName in entry.Properties.PropertyNames)
        {
            Console.WriteLine((String)propName);
        }
    }
}

I'm not sure where to go with this and some assistance would be greatly appreciated.

c#

ssl

active-directory

asked on Stack Overflow Aug 4, 2009 by

James Watt

2 Answers

I have been trying to write some code that will retrieve a users password...

This is unrelated to your SSL problem, but I don't think retrieving a user's password from Active Directory is possible. It only stores a hash and that's why you aren't receiving any kind of "password" property when querying the user's properties.

Updated Answer

After reading your comment, it appears you're looking for the unicodePwd attribute which contains the security hash. According to the MSDN information, writing to that attribute requires the special SSL connection but you still won't be able to read it because it's a write-only attribute.

Specifically from MSDN:

The unicodePwd attribute is never returned by an LDAP search.

Here's also a forum post that I found that seems to say the same thing:

The users' password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read due to security reasons. (Source)

answered on Stack Overflow Aug 4, 2009 by

Lance McNearney • edited Aug 6, 2009 by

Lance McNearney

Try adding the server's certificate and root certificate to your local store. The easiest way to do this is to use IE to connect to https://your.domain.contoller:636. Then click through all the certificate screens and add them to your store.

answered on Stack Overflow Aug 4, 2009 by

Andrew Strong

User contributions licensed under CC BY-SA 3.0