C# LDAPS Why username and password incorrect on SSL when it works on non ssl and are my changes enough?

0

Regarding Microsofts upcoming change to only support LDAPS we are editing our LDAP connection code to get it to work with LDAPS on port 636.

In the non ssl version we use the following to connect:

var rootDirectoryEntryPath = "LDAP://ad-server.company.local:389/DC=company,DC=local"
var entry = string.IsNullOrEmpty(currentModel.DomainUserName)
                        ? new DirectoryEntry(rootDirectoryEntryPath)
                        : new DirectoryEntry(rootDirectoryEntryPath, currentModel.DomainUserName, currentModel.DomainUserPassword);

To support LDAPS i changed it to the following:

            DirectoryEntry entry;
            if (currentModel.UseSSL)
            {

                var rootDirectoryEntryPath = "LDAP://ad-server.company.local:636/DC=company,DC=local";
                entry = string.IsNullOrEmpty(currentModel.DomainUserName)
                    ? new DirectoryEntry(rootDirectoryEntryPath)
                    : new DirectoryEntry(rootDirectoryEntryPath, currentModel.DomainUserName, currentModel.DomainUserPassword, AuthenticationTypes.SecureSocketsLayer);
            }
            else
            {
                var rootDirectoryEntryPath = "LDAP://ad-server.company.local:389/DC=company,DC=local";
                entry = string.IsNullOrEmpty(currentModel.DomainUserName)
                                    ? new DirectoryEntry(rootDirectoryEntryPath)
                                    : new DirectoryEntry(rootDirectoryEntryPath, currentModel.DomainUserName, currentModel.DomainUserPassword);
            }

My problem is that this code works when UseSSL is false. But when using the secure version we get a exception:

errorCode: 80090308: LdapErr: DSID-0C09041C, comment: AcceptSecurityContext error, data 52e, v4563
errorCode: System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): The user name or password is incorrect.

How is it possible that the 389 call works but the 636 gives a username / password error? Username and password are the same for both calls.

And is the above change the only thing i would need to comply with the upcoming Microsoft change? I tried searching but regarding the Microsoft change issue i did not find the appropiate results.

Edit 1(07-04-2020(dd-MM-yyyy)) I got the 636 to work with the code below. A very different approach using the suggested networkcredentials class by @jdweng.

For the username, must this always be "CN=Name and path" or "domain\username" ? I tried just "Username" but this failed.

The code:

 NetworkCredential creds = new NetworkCredential("company\\username", "password");
            LdapConnection connection = new LdapConnection(identifier, creds)
            {
                AuthType = AuthType.Basic,
                SessionOptions =
                {
                    ProtocolVersion = 3,
                    SecureSocketLayer = true
                }
            };

            connection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(VerifyServerCertificate);

            SearchRequest searchRequest = new SearchRequest(companyDN, string.Format("(&(objectClass=user))"), System.DirectoryServices.Protocols.SearchScope.Subtree, null);

            try
            {
                connection.Bind();
                var response = (SearchResponse)connection.SendRequest(searchRequest);

                Console.WriteLine(response.Entries.Count);
            }
            catch (Exception e)
            {
                Console.WriteLine($"{e}");
            }

The 'VerifyServerCertificateCallback' callback in my test for now always returns true as a test.

Is there any way to also get this way with LDAPConnection and NetworkCredentions to work with DirectorySearcher?

c#
ssl
ldap
asked on Stack Overflow Apr 6, 2020 by WeB • edited Apr 7, 2020 by WeB

0 Answers

Nobody has answered this question yet.


User contributions licensed under CC BY-SA 3.0