0

I am working on a requirement where I need to validate user with active directory account. For this I have used LdapConnection with PrincipalContext and in all cases I am able to validate user without SSL. But I need to use validate user with SSL. I have also used the correct port i.e 636/TCP LDAP SSL

But whenever I tried to use port 636 and set the contextoption to ContextOptions.Negotiate | ContextOptions.SecureSocketLayer am getting error "Server Could not be contacted."

Following is my code 

using (principalContext = new PrincipalContext(ContextType.Domain, ldapServerIp, null, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer, userName, password))
{ 
    bool isCredentialValid = principalContext.ValidateCredentials(userName, password);
}

My Ldap server address is abc.com:636. If I remove the port 636 and use the default ContextOption than it is authenticating the users. Does anyone ever resolve this type of issue. Any help will be appreciated.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
Virender Thakur
  • 421
  • 7
  • 23
  • Is ldapServerIp = "abc.com"? You can't use a userName and Password. You need a Network Credential. – jdweng Apr 14 '20 at 18:56
  • @jdweng Neither the `PrincipalContext` constructor nor `ValidateCredentials` accepts a `NetworkCredential` object. – Gabriel Luci Apr 14 '20 at 19:02

1 Answers1

1

One of two things are happening:

  1. There is a firewall blocking your access to port 636, or
  2. The certificate that the server is using is not trusted by your computer.

In the past, I've used the PowerShell code in this answer to download the certificate to a file so you can inspect it. For example:

$webRequest = [Net.WebRequest]::Create("https://example.com:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "certificate.cer"

Make sure the URL in the first line matches your domain name (but keep the https://). If you are actually able to hit port 636, then you will see a certificate.cer file. You can double-click on that file and you will see the details. If your computer does not trust it, you will see a big warning and you know that is your problem.

If the certificate is not trusted, then you need to install the root certificate of that certificate as a Trusted Root Certificate on your computer.

Gabriel Luci
  • 38,328
  • 4
  • 55
  • 84
  • Hi Gabriel. I have tried this piece of code and it doesn't work. "You cannot call a method on a null-valued expression. At line:4 char:1" – Virender Thakur Apr 15 '20 at 12:21
  • I have passed the correct AD server url. But didn't work. – Virender Thakur Apr 15 '20 at 12:22
  • That means that issue #1 is true - something is blocking your connection to port 636 on the server. – Gabriel Luci Apr 15 '20 at 12:58
  • I have tried the first function of this answer on server and there is o error I am getting. Don't know what is wrong with PrincipalContext. Please see this answer https://forums.asp.net/post/3978277.aspx – Virender Thakur Apr 15 '20 at 13:04
  • This answer used the SSL to connect and I tried it with the port as well i.e. 636. It let me through in with this. – Virender Thakur Apr 15 '20 at 13:06
  • 1
    You only tried the `CreateConnection()` method? That doesn't actually connect. That just prepares the `LdapConnection` object. You have to call `con.Bind()` for it to actually attempt the connection. – Gabriel Luci Apr 15 '20 at 13:16
  • Ohh! Yes @Gabriel. with `con.Bind() ` I am getting error **The LDAP server is unavailable.** – Virender Thakur Apr 15 '20 at 13:24
  • Hi @Gabriel I have run the snippet that you provided to download the certificate and I certificate is downloaded and on opening it gives me error **This certificate has expired or is not yet valid.**. Does that means Certificate is not trusted on machine I am trying to login from AD server. – Virender Thakur Apr 16 '20 at 11:18
  • Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/211819/discussion-between-virender-thakur-and-gabriel-luci). – Virender Thakur Apr 16 '20 at 17:09