2

The project I am working on will integrate with the customers Active Directory in order to authenticate users. I have been trying to write some code that will retrieve a users password and I understand that Active Directory will only expose the relevant properties over a SSL connection on port 636.

The following code connects programmatically without using SSL but then I can't see the password properties:

static void Main(string[] args)
{
    DirectoryEntry entry = new DirectoryEntry(@"LDAP://<IP>/CN=LDAP Test,CN=Users,DC=customer,DC=com");
    entry.AuthenticationType = AuthenticationTypes.None;
    entry.Username = "CN=LDAP Test,CN=Users,DC=customer,DC=com";
    entry.Password = "<password>";
    if (entry != null)
    {
        foreach (Object propName in entry.Properties.PropertyNames)
        {
            Console.WriteLine((String)propName);
        }
    }
}

When I change the code to use SSL I get an exception stating ;Unknown error (0x80005000)'.

I have enabled SSL on the server hosting Active Directory, installed a Microsoft CA on the same server and obtained a certificate from the CA.

I can connect to the Active Directory over SSL using Apache Directory Studio but that does not show the password properties.

The following code shows what I have been trying to use to connect using SSL:

static void Main(string[] args)
{
    DirectoryEntry entry = new DirectoryEntry(@"LDAPS://<IP>:636/CN=LDAP Test,CN=Users,DC=customer,DC=com");
    entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
    entry.Username = "CN=LDAP Test,CN=Users,DC=customer,DC=com";
    entry.Password = "<password>";
    if (entry != null)
    {
        foreach (Object propName in entry.Properties.PropertyNames)
        {
            Console.WriteLine((String)propName);
        }
    }
}

I'm not sure where to go with this and some assistance would be greatly appreciated.

James Watt
  • 225
  • 1
  • 4
  • 14
  • Related: http://stackoverflow.com/questions/287100/setting-up-ssl-in-active-directory-how-to/291826 – Robert Harvey Aug 04 '09 at 18:04
  • The ADAM FAQ is here: http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx#EOD – Robert Harvey Aug 04 '09 at 18:13
  • The title for this question is misleading, it should be something like, "How can I retrieve a user's password from Active Directory?" It has nothing to do with "connect to Active Directory with SSL enabled?" – Bratch Dec 02 '10 at 00:12

2 Answers2

2

I have been trying to write some code that will retrieve a users password...

This is unrelated to your SSL problem, but I don't think retrieving a user's password from Active Directory is possible. It only stores a hash and that's why you aren't receiving any kind of "password" property when querying the user's properties.

Updated Answer

After reading your comment, it appears you're looking for the unicodePwd attribute which contains the security hash. According to the MSDN information, writing to that attribute requires the special SSL connection but you still won't be able to read it because it's a write-only attribute.

Specifically from MSDN:

The unicodePwd attribute is never returned by an LDAP search.

Here's also a forum post that I found that seems to say the same thing:

The users' password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read due to security reasons. (Source)

Lance McNearney
  • 9,410
  • 4
  • 49
  • 55
  • It's the hash that I'm after. I admit my post could have been clearer about that. The intent is to compare or authorise a hash received from another system with the hash stored in Active Directory. – James Watt Aug 05 '09 at 16:12
0

Try adding the server's certificate and root certificate to your local store. The easiest way to do this is to use IE to connect to https://your.domain.contoller:636. Then click through all the certificate screens and add them to your store.

Andrew Strong
  • 4,303
  • 2
  • 24
  • 26