ASP.NET and SASL

A

Amar

Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
operations necessary to use an authorized Enterprise directory?
If yes, the can you please provide me with some example or some useful links?
Thanks in Advance!
 
J

Joe Kaplan \(MVP - ADSI\)

Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All LDAP
bind types supported by wldap32.dll are available there.

System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
certificate auth via SASL external.

None of this is related to ASP.NET at all though.

Joe K.
 
A

Amar

Thanks again Joe.
I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
if it works for .Net 2.0
1. Why do you say that none of this is related to ASP.NET?
2. Also, can you give me an example about "client certificate auth via SASL
external" that you say is supported by System.DirectoryServices (ADSI-based
LDAP)?
Or point me towards links with the same?
Thank you.
 
J

Joe Kaplan \(MVP - ADSI\)

If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
would need a different tool to write .NET 2.0 code, although you can compile
directly with the platform SDK.

I say this is not related to ASP.NET as all of the functionality in question
is in the System.DirectoryServices assembly and ADSI and Windows LDAP (and
other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
LDAP, but they aren't really different from other .NET apps that might want
to do so except that they have more complicated security scenarios in some
cases.

If you want to do client certificate authentication with LDAP, this is
possible and supposedly works with ADSI (and thus System.DirectoryServices).
I've never tested it though. You basically need to configure your
DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
need to configure the ASP.NET account to have access to the client
certificate and private key. The latter is the hard part. Note that you
don't control the SASL stuff directly though with this. It is all done at a
lower level.

What are you specifically trying to accomplish? Do you need to use a
special SASL provider with an LDAP bind or what?

Joe K.
 
A

Amar

Hi,
Thank you Joe.
I am trying to accomplish the following:
We have a central university LDAP server. My department has a webserver with
IIS6/Windows 2003. We got 2 certificates from the university. One was a SSL
Server certificate and another was a Middleware Client Certificate. My Sys
Admin installed both these on the Webserver. We checked the box to make the
site SSL encrypted too.
Now to fetch some important data from the university LDAP server the
middleware group say that my application (in this case ASP.NET) needs to
support SSL or TLS with client certificates and should be able to somehow
perform a SASL EXTERNAL Bind with the LDAP Server. They have posted some
examples in java, perl, python. Please tell me if you want to read details
about those ,i can send you the link.
Our majorissue is:
My Sys admin and me are doing this client certificate thing for the first
time. So as per our thinking there has to be some way in the ASP.NET code
that tells the application to use the particular client certificate (and the
private key in it) while trying to connect to the LDAP server. We are not
able to figure this out! If you can give us a step by step instructions to
achieve this we would appreciate it!

Thanks in Advance!
 
J

Joe Kaplan \(MVP - ADSI\)

The only way to specify specific client certificates is with
System.DirectoryServices.Protocols. When you are using
System.DirectoryServices, the LDAP layer will simply try to find an
appropriate client certificate based on the certificates that the server
says that it trusts during the SSL/LDAP negotiation and send that
certificate.

Typically, the hard part of this is configuring the appropriate process
account so that the certificate is available with the private key. Normally
for ASP.NET apps, you need to add the certificate to the machine store and
make sure the private key is available with the certificate there and that
the account accessing it has rights to read the private key.

Before you even try to do this in a web application, why don't you try to
get it working in a console application first? That way you can install the
certificate into your local store and see if that works.

The only thing you would do from a code perspective is specify
AuthenticationTypes.SecureSocketsLayer in your DirectoryEntry constructor.
I'm not really sure what if anything you should specify for the username and
password though. I've never done client cert auth with LDAP, I've only
discussed it a bit with other experts.

Joe K.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Members online

Forum statistics

Threads
473,733
Messages
2,569,440
Members
44,830
Latest member
ZADIva7383

Latest Threads

Top