Active Directory SSL

Discussion in 'ASP .Net Security' started by Chris Davoli, Nov 14, 2006.

  1. Chris Davoli

    Chris Davoli Guest

    Can somebody tell me how to authenticate USING SSL against an active
    directory server? The below code works without SSL, but how do I get it to
    work using SSL certificate and port 636? I'm assuming that the URL needs to
    be changed to LDAPS://XX.XXX.X.XX:636/dc=XXXXXX,dc=XXXXX where LDAPS and Port
    = 636 is specified. Is this true?


    Public Function IsUserAuth( _
    ByVal UserIDtoAuthenticate As String, _
    ByVal PasswordToAuthenticate As String) As Boolean

    Try

    _ldapServerName = "XX.XXX.X.XX" ' LDAP server to
    Authenticate against

    _path = AppSettings("AD_Path") '"LDAP://" & _ldapServerName
    & "/dc=XXXXXX,dc=XXXXX"

    Dim oRoot As DirectoryEntry = New DirectoryEntry(_path,
    UserIDtoAuthenticate, PasswordToAuthenticate)
    oRoot.Username = AppSettings("AD_UserID")
    oRoot.Password = AppSettings("AD_Password")
    Dim obj As Object = oRoot.NativeObject

    Dim oSearcher As DirectorySearcher = New
    DirectorySearcher(oRoot)
    oSearcher.Filter = "(SAMAccountName=" & UserIDtoAuthenticate
    & ")"
    Dim oResult As SearchResult

    oSearcher.PropertiesToLoad.Add("cn")

    oResult = oSearcher.FindOne
    If oResult Is Nothing Then
    'Authentication failed
    Return False
    End If
    'Authentication success
    Return True

    Catch ex As Exception
    If ex.GetBaseException.ToString.IndexOf("Logon failure:
    unknown user name or bad password") > -1 Then
    'Return "Logon failure: unknown user name or bad password"
    'Authenticated failed
    Return False
    Else
    If ex.GetBaseException.ToString.IndexOf("The directory
    service is unavailable") > -1 Then
    Return False
    Else
    Return False
    'Throw New Exception("Error obtaining group names. "
    & ex.Message)
    End If
    End If
    End Try


    End Function

    --
    Chris Davoli
     
    Chris Davoli, Nov 14, 2006
    #1
    1. Advertising

  2. Chris Davoli

    Joe Kaplan Guest

    You should do something like this:

    New DirectoryEntry("LDAP://serverdnsname/RootDSE",userName, password,
    AuthenticationTypes.SecureSocketsLayer Or AuthenticationTypes.Secure)

    It is not necessary to add the port for AD, as AD always uses the default
    SSL/LDAP port and can't be changed. ADSI will figure it out.

    Your code below also places one set of credentials in the constructor and
    then overwrites them in the next two lines with credentials stored in the
    configuration. That doesn't make any sense at all. :)

    My recommendation is that if you just want to authenticate a user, using the
    RootDSE object is good because it doesn't have any authorization associated
    with it to read it (is available anonymously), so you are really just
    testing the credentials and not the rights of the user to read the object in
    the path.

    Your code also tries to do a search with the directorysearcher to see if the
    can be found by their username. This isn't really necessary if you are just
    checking the password. The DC will either be able to authenticate them or
    it won't. The code where you check the exception message could be cleaned
    up a little by catching a COMException and reading the ErrorCode property to
    see which error code is returned. It is always the same for "invalid
    username or bad password". That way, you don't have to do string parsing
    and don't have to worry about the code every running under a different
    language pack with different globalized string resources. :)

    Another thing that is important with SSL is to use the DNS name of the
    domain or specific DC in your path. Don't use the IP address or a netbios
    name, as the name must match the DC certificate to make a successful SSL
    connection.

    Note also that it is not necessary from a security standpoint to use SSL if
    you do AuthenticationTypes.Secure, as the credentials are not passed in
    plaintext if you use that option. However, you might want to use SSL
    anyway.

    We actually cover all of this stuff in a lot of detail in our book (ch 3
    covers SSL, ch 12 covers authentication topics) if you are interested. You
    can get some of our code snippets from the book's website for free (C# and
    VB).

    HTH,

    Joe K.

    --
    Joe Kaplan-MS MVP Directory Services Programming
    Co-author of "The .NET Developer's Guide to Directory Services Programming"
    http://www.directoryprogramming.net
    --
    "Chris Davoli" <> wrote in message
    news:...
    > Can somebody tell me how to authenticate USING SSL against an active
    > directory server? The below code works without SSL, but how do I get it to
    > work using SSL certificate and port 636? I'm assuming that the URL needs
    > to
    > be changed to LDAPS://XX.XXX.X.XX:636/dc=XXXXXX,dc=XXXXX where LDAPS and
    > Port
    > = 636 is specified. Is this true?
    >
    >
    > Public Function IsUserAuth( _
    > ByVal UserIDtoAuthenticate As String, _
    > ByVal PasswordToAuthenticate As String) As Boolean
    >
    > Try
    >
    > _ldapServerName = "XX.XXX.X.XX" ' LDAP server to
    > Authenticate against
    >
    > _path = AppSettings("AD_Path") '"LDAP://" & _ldapServerName
    > & "/dc=XXXXXX,dc=XXXXX"
    >
    > Dim oRoot As DirectoryEntry = New DirectoryEntry(_path,
    > UserIDtoAuthenticate, PasswordToAuthenticate)
    > oRoot.Username = AppSettings("AD_UserID")
    > oRoot.Password = AppSettings("AD_Password")
    > Dim obj As Object = oRoot.NativeObject
    >
    > Dim oSearcher As DirectorySearcher = New
    > DirectorySearcher(oRoot)
    > oSearcher.Filter = "(SAMAccountName=" &
    > UserIDtoAuthenticate
    > & ")"
    > Dim oResult As SearchResult
    >
    > oSearcher.PropertiesToLoad.Add("cn")
    >
    > oResult = oSearcher.FindOne
    > If oResult Is Nothing Then
    > 'Authentication failed
    > Return False
    > End If
    > 'Authentication success
    > Return True
    >
    > Catch ex As Exception
    > If ex.GetBaseException.ToString.IndexOf("Logon failure:
    > unknown user name or bad password") > -1 Then
    > 'Return "Logon failure: unknown user name or bad
    > password"
    > 'Authenticated failed
    > Return False
    > Else
    > If ex.GetBaseException.ToString.IndexOf("The directory
    > service is unavailable") > -1 Then
    > Return False
    > Else
    > Return False
    > 'Throw New Exception("Error obtaining group names.
    > "
    > & ex.Message)
    > End If
    > End If
    > End Try
    >
    >
    > End Function
    >
    > --
    > Chris Davoli
    >
     
    Joe Kaplan, Nov 14, 2006
    #2
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. 620
    Replies:
    2
    Views:
    1,038
    Murat Tunaboylu
    Jan 6, 2004
  2. Brandon McCombs

    SSL connection to Active directory

    Brandon McCombs, Feb 18, 2006, in forum: Java
    Replies:
    0
    Views:
    961
    Brandon McCombs
    Feb 18, 2006
  3. Brandon McCombs

    java , ssl, and active directory

    Brandon McCombs, Dec 12, 2006, in forum: Java
    Replies:
    0
    Views:
    645
    Brandon McCombs
    Dec 12, 2006
  4. ejcosta
    Replies:
    2
    Views:
    898
    Eurico Costa
    Oct 8, 2004
  5. carlos seramos
    Replies:
    2
    Views:
    515
    carlos seramos
    Aug 1, 2003
Loading...

Share This Page