2

I'm having trouble obtaining a user from an Active Directory server when using SSL. The following code block works fine up unti the FindByIdentity call when it is throwing a System.DirectoryServices.DirectoryServicesCOMException - An operations error occurred exception.

options = ContextOptions.SimpleBind | ContextOptions.SecureSocketLayer;
using (var context = new PrincipalContext(ContextType.Domain, "mycompany.org:636", null, options))
{
    if (!context.ValidateCredentials(name, password, options))
    {
        LdapStatus = 0;
        return null;
    }

    UserPrincipal user = UserPrincipal.FindByIdentity(context, name);

    ... other stuff to find groups ...
}

Interestingly, if I use options = ContextOptions.SimpleBind without the SSL flag or if go to port :389 together with the options options = ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing it works just fine. So I guess it has something to do with FindByIdentity not working with SSL? But I have seen examples (such as here) that this should indeed work.

Anything obvious that I'm doing wrong here?

Btw. I'm running on .NET 4.8

obachtos
  • 977
  • 1
  • 12
  • 30
  • The answer in the StackOverflow link says the `.Net` version is the problem. Have you tried to revert it to a previous version, like `.Net 4` as suggested ? – Codingwiz Jan 25 '23 at 17:32
  • Well, I'm not running cross-domain, I get a different exception and it's been 10 years and several .NET updates...but I guess I can try it when I get the chacne – obachtos Jan 26 '23 at 08:06
  • Do you know if the SSL certificate being used on the server is valid and trusted (not self-signed) and matches exactly the domain name you're using to connect (not issued to the specific domain controller)? – Gabriel Luci Jan 26 '23 at 13:18
  • I'm fairly confident that its valid since it's only the `FindByIdentity` part that's not working. I can validate the credentials just fine. – obachtos Jan 27 '23 at 07:32
  • Have you tried the suggestions here? https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/ldap-over-ssl-connection-issues – vgwizardx Feb 04 '23 at 16:11
  • you can either add the server's SSL certificate to the client's trusted certificate store or disable SSL verification by setting ServicePointManager.ServerCertificateValidationCallback to delegate { return true; }. However, this is not recommended as it can compromise the security of the connection. – Ishwor Khatiwada Feb 06 '23 at 06:55

0 Answers0