3

I am trying to connect to LDAP with port 636 but i am getting error "The server is not operational" but if I try to connect to port 389 then it connects normally and get data

This is the code i am using

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.domain.com:636/ou=**,ou=**,dc=**,dc=**", "uid=user,OU=**,OU=**,DC=**,DC=**", "password", AuthenticationTypes.None);

With this if i try to connect i get error "The server is not operational"

But if i change the code to this 

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.domain.com:389/ou=**,ou=**,dc=**,dc=**", "uid=user,OU=**,OU=**,DC=**,DC=**", "password", AuthenticationTypes.None);

Or even this remove the port (which by default i think use 389 port)

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.domain.com/ou=**,ou=**,dc=**,dc=**", "uid=user,OU=**,OU=**,DC=**,DC=**", "password", AuthenticationTypes.None);

Then it connects normally and get data.

Can anyone please help me connect LDAP through 636 port becasue in test sever environment i need to connect through 636 cannot use 389.

Arijit Das
  • 33
  • 1
  • 5

1 Answers1

6

Three things need to happen for LDAP over SSL to work:

  1. You need network connectivity (no firewall in the way). To test this, you can use PowerShell's Test-NetConnection:
Test-NetConnection ldap.domain.com -Port 636
  1. You need to trust the certificate. If it's using a self-signed certificate, then it may not be trusted from the computer that you're downloading it from. There is some PowerShell code here that can download a cert so that you can inspect it. I modified it for use here (just change the $domain to the actual domain):
$domain = "ldap.domain.com"
$webRequest = [Net.WebRequest]::Create("https://$($domain):636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "~\Downloads\$domain.cer"

That will put the certificate in your "Downloads" folder. Open the .cer file and it should tell you right away if it's trusted on your machine. If not, then you will need to obtain the root certificate and install it as a Trusted Root Certificate on any machine where this code runs.

  1. The fully-qualified domain name you are using to connect to AD must match the SSL certificate exactly (or one of the "Subject Alternative Names" of the cert). Sometimes, the cert will be issued in the name of the domain controller (e.g. dc1.domain.com), in which case, you must target that specific DC ("LDAP://dc1.domain.com:636") instead of just the name of the domain.
Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • thanks a lot for the detail answer .... I am bit new in this so please help me a bit more ... So i downloaded the certificate ... and when i click on it it says "Windows does not have enough information to verify this certificate" .. So what it means? Also can you please elaborate a bit about " If not, then you will need to obtain the root certificate" from where i can get the root certificate from the Ad server? – Arijit Das Mar 04 '19 at 18:45
  • Yes, it would be on your AD domain controller. If you're not the AD admin, then ask them for it. I have never pulled it off a domain controller (I'm not a domain admin), but I think you just need to [export it from the Certificates MMC snap-in, then import it on the client machine](https://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html) (when it asks, you don't need the private key for this). – Gabriel Luci Mar 04 '19 at 19:11
  • 1
    @BernhardThalmayr Not with `DirectoryEntry`, no. You still use `LDAP://` and just include the port. – Gabriel Luci Mar 04 '19 at 19:56
  • @GabrielLuci I did imported the certificate in the "Trusted Root Certificate" but still having the same error when i amtrying to connect ldap specifying 636 port ... where 389 works ... – Arijit Das Mar 05 '19 at 08:49
  • When you open that .cer file now, does it show the certificate as trusted? – Gabriel Luci Mar 05 '19 at 12:13
  • HI @GabrielLuci ... at last i found out what was the problem .... The Ldap url i was using was not actually right for the SSL connection ... I have to provide the Fully Qualified Domain Name (FQDN) instead of the url i am using since the certificate was issued to the FQDN. The certificate i am downloading through your script is actually for that FQDN url so thats why i was still getting that error .... So this is important using the FQDN for which certificate is used .. . If you please edit you answer and add this then i can accept you solution because yours is almost perfect – Arijit Das Mar 05 '19 at 17:03
  • Yes! That's an excellent point. I added that as a third point to my answer. I'm glad I could help point you in the right direction. – Gabriel Luci Mar 05 '19 at 17:59
  • @GabrielLuci .. .thanks a lot for the help ... really appreciate it ... – Arijit Das Mar 05 '19 at 18:17
  • @GabrielLuci Hmm, why should it be ensured that SSL/TLS is enabled on a port? Only because it's the default LDAPS port? You could even do StartTLS on whatever port. – Bernhard Thalmayr Mar 06 '19 at 09:41
  • @BernhardThalmayr LDAPS is LDAP over SSL. So the SSL handshake has to succeed before the LDAP communication can start. – Gabriel Luci Mar 06 '19 at 13:11
  • @GabrielLuci yes of course, and the commonly used scheme for this is 'ldaps' and not 'ldap', hence the DirectoryEntry should rather use 'LDAPS://' instead of 'LDAP://' as the port 636 need not be secured – Bernhard Thalmayr Mar 07 '19 at 13:34
  • @BernhardThalmayr What "should be" and what "is" are often two different things. :) `DirectoryEntry` doesn't understand `LDAPS://`. It just doesn't work. – Gabriel Luci Mar 07 '19 at 14:02
  • @GabrielLuci sure I know :-). However relying on some port to trigger SSL/TLS handshake is rather daring. IMHO this is smells like a bug, e.g. how to trigger TLS handshake when you do not use the well-known port? – Bernhard Thalmayr Mar 07 '19 at 14:10
  • @BernhardThalmayr You don't have to worry about it. `DirectoryEntry` takes care of it. You just specify the port. If SSL is required on that port, it handles it. – Gabriel Luci Mar 07 '19 at 14:22