Contact Active Directory with SSL

Question

I have a method that validates user credentials against Active Directory. I would like to use this method with SSL but I can't get it to work.

The main problem is that I have a server that are outside of our network (is it called DMZ?). And from there I wanna contact my active directory, and that's why I want to use SSL.

When using this on my local computer (not from DMZ) I get this error:

System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)

--- End of inner exception stack trace ---
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options)
at Authorization.AuthorizeAD.ValidateCredentials(String username, String password)

I figured that it would be good to get it working with SSL from local before I try it from our server.

My method:

public bool ValidateCredentials(string username, string password) {
        using (
            var context = new PrincipalContext(ContextType.Domain, ContextName, ContextContainer,
                ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing |
                ContextOptions.SecureSocketLayer)) {
            return context.ValidateCredentials(username, password);
        }
    }

As said before, without ContextOptions.SecureSocketLayer it works fine (the other three are by default if parameter is null)

Does anyone know how I should use PrincipalContext correct with SSL?

score 5 · Accepted Answer · answered Mar 05 '16 at 23:01

Are you sure it supports SSL and that the firewall is open to allow that connection?

LDAP uses port 389. LDAPS uses port 636.

If you have the telnet client installed, you can use it to check the connectivity:

telnet yourdomain.com 636

If you get a blank screen, it worked. If it can't connect, it will tell you.

If that is open and it still does not work, it could be using a self-signed SSL certificate. Check the Windows event log for certificate-related errors.

I've also used Chrome to check the certificate. You have to run chrome like this:

chrome.exe --explicitly-allowed-ports=636

Then browse to https://yourdomain.com:636 and see if it gives you any certificate errors. Then you can actually see the certificate. If that's the problem, you may be able to import the certificate and explicitly trust it.

It must. LDAP is the only protocol used to communicate with Active Directory. More details: https://technet.microsoft.com/en-us/library/cc961766.aspx — Gabriel Luci, Mar 08 '16 at 04:05

Contact Active Directory with SSL

1 Answers1

Linked