0

I’m using asp.net framework 4.8 I’m trying to use the membership class with Active directory provider. security team insists to use LDAPS protocol with ca certificate, so I set the config in this way:

web.config

  <connectionStrings>
    <add name="ADService" connectionString="LDAPS://ipaddress:636/OU=ou,DC=dc,DC=dc"/> (censored)
  </connectionStrings>

  <system.web>
    <membership defaultProvider="AspNetActiveDirectoryMembershipProvider">
      <providers>
        <add name="AspNetActiveDirectoryMembershipProvider"
          type="System.Web.Security.ActiveDirectoryMembershipProvider"
             connectionStringName="ADService"
              connectionUsername="MYUSERNAME"
              connectionPassword="MYPASSWORD "
             connectionProtection="Secure"/>
      </providers>
    </membership>
  </system.web>

When I try to use Membership.GetUser() I get the following exception:

{"Error HRESULT E_FAIL has been returned from a call to a COM component. (C:\Projects\ \project\web.config line 83)"}

I tired to do the steps in: Error HRESULT E_FAIL has been returned from a call to a COM component VS2012 when debugging

I was able to connect to the active directory using LDAP browser but no through my code.

When I try to connect to another active directory on my local domain, which is not secured (LDAP on port 389) it does work.

any suggestions?

Nisim Menashe
  • 1

1 Answers1

1

LDAP over SSL follows all the same rules as HTTP over SSL (HTTPS). The two most important parts are:

  1. The domain name you use to connect must match one of the domains names on the certificate.
  2. The SSL certificate must be issued by an entity that your computer trusts, and

Rule #1 means that you cannot use an IP address to connect, which it seems you are trying to do. You must use a domain name. That might be your only problem.

For rule #2, you can check the certificate by downloading it to your computer using this PowerShell script:

$webRequest = [Net.WebRequest]::Create("https://example.com:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "certificate.cer"

Change example.com to your domain name (you can actually use the IP address here since it's just downloading the cert, not evaluating whether it will be trusted). After running it, you will have a certificate.cer file that you can double-click on and inspect. It will tell you obviously whether the certificate is not trusted. If that's the case, you will have to install the root certificate as a Trusted Root Certificate on your computer.

To help with rule #1, you can also look at all the domains listed in the certificate by looking at the Details tab and looking at "Subject Alternative Name" in the list. There may only be one, but there might be more. If there are more than one, just make sure you use on that DNS resolves to the right IP address.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84