3

I am trying to connect to an instance of Active Directory Lightweight Directory Services 2008 R2 via a secured SSL connection from a .NET 4 web service, and I'm getting "The server is not operational." error.

  • I am using a user which was created using the ADSI Editor and placed in the Administrator Role.
  • I am able to login/connect via ADSI editor with this user using SSL and simple binding, and
  • I can connect with the web service using the same user credentials but using the non-SSL port.
  • I am using the distinguished name and
  • the user is definitely not inactive.

Here is the code that I use to bind:

 DirectoryEntry entry = new DirectoryEntry("LDAP://2.2.2.2:636/DC=nfa,DC=local");
            entry.Username = "CN=ldapadmin,DC=nfa,DC=local";       
            entry.Password = "P@ssw0rd";
            entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;

I have tried it like this as well:

DirectoryEntry entry2 = new DirectoryEntry("LDAP://2.2.2.2:636/DC=nfa,DC=local", "CN=ldapadmin,DC=nfa,DC=local", "P@ssw0rd", AuthenticationTypes.SecureSocketsLayer);
rae1
  • 6,066
  • 4
  • 27
  • 48
user835440
  • 83
  • 2
  • 8
  • I have tried it like this as well: DirectoryEntry entry2 = new DirectoryEntry("LDAP://2.2.2.2:636/DC=nfa,DC=local", "CN=ldapadmin,DC=nfa,DC=local", "P@ssw0rd", AuthenticationTypes.SecureSocketsLayer); – user835440 May 22 '12 at 12:40
  • Is there a port that needs to be opened? – KennyZ May 22 '12 at 12:51
  • I believe the port is open as I can login through port 636 via adsi editor. Hence a bit of frustration. – user835440 May 22 '12 at 12:58
  • Ports and permissions are the only things I can remember that gave me those kinds of problems in my AD projects...sorry. – KennyZ May 22 '12 at 13:09
  • I just got it sorted, bit of silly one. As we are using certificates generated on the server I had to use the name rather than the IP and and add an entry in the host file. Thanks – user835440 May 22 '12 at 13:17
  • 1
    Can you put your last comment as the answer, it can be helpful for other people. – JPBlanc May 23 '12 at 04:30
  • Why is the entry in the hosts file required? It is for me too, but I don't understand why, when doing a nslookup on the domain name it resolves to the same ip... – Carl Björknäs Jun 29 '16 at 12:07

2 Answers2

2

The server needs an SSL certificate installed that meets the documented requirements. Test connectivity with LDP. You will need to connect using the fully qualified domain name of the machine. Replace the IP address above with the FQDN and you should be all set.

Colin Bowern
  • 2,152
  • 1
  • 20
  • 35
0

As @ColinBowern mentions you need to provide the Fully Qualified Domain Name (FQDN) instead of the IP since the certificate was issued to the FQDN.

First, verify that the certificate registered with the AD LDS on the remote machine is correctly installed:

  1. Run certmgr.
  2. Verify the Certificate Authority (CA) that issued the certificate exists in the Trusted Root Certification Authority\Certificates store.
  3. Verify the certificate exists in the Personal\Certificates store with the correct FQDN (the domain name of the remote machine), issued by the above CA and of type "Server Authentication".

Second, the FQDN might not resolve correctly to the remote machine due to a DNS registration error. Verify that the hosts file (located at C:\Windows\System32\drivers\etc) for the local machine maps the correct IP to the FQDN (as shown in the certificate name). If no entry exists, it needs to be added,

192.168.1.34    domain.name    # <-- FQDN as shown in the certificate
rae1
  • 6,066
  • 4
  • 27
  • 48