C# LDAP authentication strange issue

Question

I have a VMWare machine with Windows Server 2012 and Active Directory installed. The domain name is "cpx.local" and I have created a new user "testad".

I have a C# Winform application so I can test the connection to the LDAP server and then get all the users or groups in the Active Directory.

This is the code that works fine:

string server = "192.168.238.129";
            string port = "389";
            System.DirectoryServices.Protocols.LdapConnection ldapConnection =
                 new System.DirectoryServices.Protocols.LdapConnection(new LdapDirectoryIdentifier(server + ":" + port));

            TimeSpan mytimeout = new TimeSpan(0, 0, 0, 1);
            try
            {

                ldapConnection.AuthType = AuthType.Anonymous;
                ldapConnection.AutoBind = false;
                ldapConnection.Timeout = mytimeout;
                ldapConnection.Bind();
               
                Console.WriteLine(("Successfully authenticated to ldap server "));
               
                ldapConnection.Dispose();
            }
            catch (LdapException ex)
            {
                Console.WriteLine(("Error with ldap server "));
                Console.WriteLine((ex.GetType().ToString() + (":" + ex.Message)));
               
            }

The problem is that if I want to authenticate with the new user "testad" it doesn't work.

I change the AuthType to be Basic and set the credentials.

ldapConnection.AuthType = AuthType.Basic;
                ldapConnection.Credential = new NetworkCredential(@"cpx\testad", "test@D12345", "cpx.local");
                ldapConnection.AutoBind = false;
                ldapConnection.Timeout = mytimeout;
                ldapConnection.Bind();

I get the following error:

I have tried to Login the Windows Server 2012 with this user and I can login perfect.

The interesting thing is that the following code is working fine:

var dirEntry = new DirectoryEntry(string.Format("LDAP://{0}/{1}", "192.168.238.129:389", "DC=cpx,DC=local"), "testad", "test@D12345");
              
                var searcher = new DirectorySearcher(dirEntry)
                {
                    Filter = "(&(&(objectClass=user)(objectClass=person)))"
                };
                var resultCollection = searcher.FindAll();

Am I doing something wrong with the NetworkCredentials?

Answer 1

maybe doubleccheck credentials.in NetworkCredential support username without 'cpx/' in front. as domain is provided

 ldapConnection.Credential = new NetworkCredential(@"testad", "test@D12345", "cpx.local");

Answer 2

If you set the AuthType to Negotiate, does it work ?

AuthType details here

change:

ldapConnection.AuthType = AuthType.Basic;

to:

ldapConnection.AuthType = AuthType.Negotiate;

Regarding the domain name - cpx vs cpx.local - you can take a look at this article about some recommended practices

http://www.mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html

The correct way to name an Active Directory domain is to create a subdomain that is the delegation of a parent domain that you have registered and have control over. As an example, if I ever started a consulting business and used the Internet-facing website mdmarra.com as my company's site, I should name my Active Directory domain ad.mdmarra.com or internal.mdmarra.com, or something similar. You want to avoid making up a TLD like .local and you also want to avoid the headache of using mdmarra.com for the Internet-facing zone and the internal zone.

Answer 3

Change: ldapConnection.AutoBind= false;

to: ldapConnection.AuthType = true;

Answer 4

If using linux based; issue can come down to username. This is the reason why you should use distinguished name as the username value.