ASP.NET and SASL

Discussion in 'ASP .Net Security' started by Amar, Jan 5, 2006.

  1. Amar

    Amar Guest

    Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
    operations necessary to use an authorized Enterprise directory?
    If yes, the can you please provide me with some example or some useful links?
    Thanks in Advance!
     
    Amar, Jan 5, 2006
    #1
    1. Advertising

  2. Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All LDAP
    bind types supported by wldap32.dll are available there.

    System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
    including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
    certificate auth via SASL external.

    None of this is related to ASP.NET at all though.

    Joe K.

    "Amar" <> wrote in message
    news:...
    > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
    > operations necessary to use an authorized Enterprise directory?
    > If yes, the can you please provide me with some example or some useful
    > links?
    > Thanks in Advance!
     
    Joe Kaplan \(MVP - ADSI\), Jan 5, 2006
    #2
    1. Advertising

  3. Amar

    Amar Guest

    Thanks again Joe.
    I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
    if it works for .Net 2.0
    1. Why do you say that none of this is related to ASP.NET?
    2. Also, can you give me an example about "client certificate auth via SASL
    external" that you say is supported by System.DirectoryServices (ADSI-based
    LDAP)?
    Or point me towards links with the same?
    Thank you.

    "Joe Kaplan (MVP - ADSI)" wrote:

    > Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All LDAP
    > bind types supported by wldap32.dll are available there.
    >
    > System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
    > including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
    > certificate auth via SASL external.
    >
    > None of this is related to ASP.NET at all though.
    >
    > Joe K.
    >
    > "Amar" <> wrote in message
    > news:...
    > > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
    > > operations necessary to use an authorized Enterprise directory?
    > > If yes, the can you please provide me with some example or some useful
    > > links?
    > > Thanks in Advance!

    >
    >
    >
     
    Amar, Jan 5, 2006
    #3
  4. If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
    would need a different tool to write .NET 2.0 code, although you can compile
    directly with the platform SDK.

    I say this is not related to ASP.NET as all of the functionality in question
    is in the System.DirectoryServices assembly and ADSI and Windows LDAP (and
    other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
    LDAP, but they aren't really different from other .NET apps that might want
    to do so except that they have more complicated security scenarios in some
    cases.

    If you want to do client certificate authentication with LDAP, this is
    possible and supposedly works with ADSI (and thus System.DirectoryServices).
    I've never tested it though. You basically need to configure your
    DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
    need to configure the ASP.NET account to have access to the client
    certificate and private key. The latter is the hard part. Note that you
    don't control the SASL stuff directly though with this. It is all done at a
    lower level.

    What are you specifically trying to accomplish? Do you need to use a
    special SASL provider with an LDAP bind or what?

    Joe K.

    "Amar" <> wrote in message
    news:...
    > Thanks again Joe.
    > I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
    > if it works for .Net 2.0
    > 1. Why do you say that none of this is related to ASP.NET?
    > 2. Also, can you give me an example about "client certificate auth via
    > SASL
    > external" that you say is supported by System.DirectoryServices
    > (ADSI-based
    > LDAP)?
    > Or point me towards links with the same?
    > Thank you.
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All
    >> LDAP
    >> bind types supported by wldap32.dll are available there.
    >>
    >> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
    >> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
    >> certificate auth via SASL external.
    >>
    >> None of this is related to ASP.NET at all though.
    >>
    >> Joe K.
    >>
    >> "Amar" <> wrote in message
    >> news:...
    >> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
    >> > LDAPv3
    >> > operations necessary to use an authorized Enterprise directory?
    >> > If yes, the can you please provide me with some example or some useful
    >> > links?
    >> > Thanks in Advance!

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Jan 5, 2006
    #4
  5. Amar

    Amar Guest

    Hi,
    Thank you Joe.
    I am trying to accomplish the following:
    We have a central university LDAP server. My department has a webserver with
    IIS6/Windows 2003. We got 2 certificates from the university. One was a SSL
    Server certificate and another was a Middleware Client Certificate. My Sys
    Admin installed both these on the Webserver. We checked the box to make the
    site SSL encrypted too.
    Now to fetch some important data from the university LDAP server the
    middleware group say that my application (in this case ASP.NET) needs to
    support SSL or TLS with client certificates and should be able to somehow
    perform a SASL EXTERNAL Bind with the LDAP Server. They have posted some
    examples in java, perl, python. Please tell me if you want to read details
    about those ,i can send you the link.
    Our majorissue is:
    My Sys admin and me are doing this client certificate thing for the first
    time. So as per our thinking there has to be some way in the ASP.NET code
    that tells the application to use the particular client certificate (and the
    private key in it) while trying to connect to the LDAP server. We are not
    able to figure this out! If you can give us a step by step instructions to
    achieve this we would appreciate it!

    Thanks in Advance!


    "Joe Kaplan (MVP - ADSI)" wrote:

    > If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
    > would need a different tool to write .NET 2.0 code, although you can compile
    > directly with the platform SDK.
    >
    > I say this is not related to ASP.NET as all of the functionality in question
    > is in the System.DirectoryServices assembly and ADSI and Windows LDAP (and
    > other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
    > LDAP, but they aren't really different from other .NET apps that might want
    > to do so except that they have more complicated security scenarios in some
    > cases.
    >
    > If you want to do client certificate authentication with LDAP, this is
    > possible and supposedly works with ADSI (and thus System.DirectoryServices).
    > I've never tested it though. You basically need to configure your
    > DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
    > need to configure the ASP.NET account to have access to the client
    > certificate and private key. The latter is the hard part. Note that you
    > don't control the SASL stuff directly though with this. It is all done at a
    > lower level.
    >
    > What are you specifically trying to accomplish? Do you need to use a
    > special SASL provider with an LDAP bind or what?
    >
    > Joe K.
    >
    > "Amar" <> wrote in message
    > news:...
    > > Thanks again Joe.
    > > I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
    > > if it works for .Net 2.0
    > > 1. Why do you say that none of this is related to ASP.NET?
    > > 2. Also, can you give me an example about "client certificate auth via
    > > SASL
    > > external" that you say is supported by System.DirectoryServices
    > > (ADSI-based
    > > LDAP)?
    > > Or point me towards links with the same?
    > > Thank you.
    > >
    > > "Joe Kaplan (MVP - ADSI)" wrote:
    > >
    > >> Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All
    > >> LDAP
    > >> bind types supported by wldap32.dll are available there.
    > >>
    > >> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
    > >> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
    > >> certificate auth via SASL external.
    > >>
    > >> None of this is related to ASP.NET at all though.
    > >>
    > >> Joe K.
    > >>
    > >> "Amar" <> wrote in message
    > >> news:...
    > >> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
    > >> > LDAPv3
    > >> > operations necessary to use an authorized Enterprise directory?
    > >> > If yes, the can you please provide me with some example or some useful
    > >> > links?
    > >> > Thanks in Advance!
    > >>
    > >>
    > >>

    >
    >
    >
     
    Amar, Jan 6, 2006
    #5
  6. The only way to specify specific client certificates is with
    System.DirectoryServices.Protocols. When you are using
    System.DirectoryServices, the LDAP layer will simply try to find an
    appropriate client certificate based on the certificates that the server
    says that it trusts during the SSL/LDAP negotiation and send that
    certificate.

    Typically, the hard part of this is configuring the appropriate process
    account so that the certificate is available with the private key. Normally
    for ASP.NET apps, you need to add the certificate to the machine store and
    make sure the private key is available with the certificate there and that
    the account accessing it has rights to read the private key.

    Before you even try to do this in a web application, why don't you try to
    get it working in a console application first? That way you can install the
    certificate into your local store and see if that works.

    The only thing you would do from a code perspective is specify
    AuthenticationTypes.SecureSocketsLayer in your DirectoryEntry constructor.
    I'm not really sure what if anything you should specify for the username and
    password though. I've never done client cert auth with LDAP, I've only
    discussed it a bit with other experts.

    Joe K.

    "Amar" <> wrote in message
    news:...
    > Hi,
    > Thank you Joe.
    > I am trying to accomplish the following:
    > We have a central university LDAP server. My department has a webserver
    > with
    > IIS6/Windows 2003. We got 2 certificates from the university. One was a
    > SSL
    > Server certificate and another was a Middleware Client Certificate. My Sys
    > Admin installed both these on the Webserver. We checked the box to make
    > the
    > site SSL encrypted too.
    > Now to fetch some important data from the university LDAP server the
    > middleware group say that my application (in this case ASP.NET) needs to
    > support SSL or TLS with client certificates and should be able to somehow
    > perform a SASL EXTERNAL Bind with the LDAP Server. They have posted some
    > examples in java, perl, python. Please tell me if you want to read details
    > about those ,i can send you the link.
    > Our majorissue is:
    > My Sys admin and me are doing this client certificate thing for the first
    > time. So as per our thinking there has to be some way in the ASP.NET code
    > that tells the application to use the particular client certificate (and
    > the
    > private key in it) while trying to connect to the LDAP server. We are not
    > able to figure this out! If you can give us a step by step instructions to
    > achieve this we would appreciate it!
    >
    > Thanks in Advance!
    >
    >
    > "Joe Kaplan (MVP - ADSI)" wrote:
    >
    >> If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
    >> would need a different tool to write .NET 2.0 code, although you can
    >> compile
    >> directly with the platform SDK.
    >>
    >> I say this is not related to ASP.NET as all of the functionality in
    >> question
    >> is in the System.DirectoryServices assembly and ADSI and Windows LDAP
    >> (and
    >> other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
    >> LDAP, but they aren't really different from other .NET apps that might
    >> want
    >> to do so except that they have more complicated security scenarios in
    >> some
    >> cases.
    >>
    >> If you want to do client certificate authentication with LDAP, this is
    >> possible and supposedly works with ADSI (and thus
    >> System.DirectoryServices).
    >> I've never tested it though. You basically need to configure your
    >> DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
    >> need to configure the ASP.NET account to have access to the client
    >> certificate and private key. The latter is the hard part. Note that you
    >> don't control the SASL stuff directly though with this. It is all done
    >> at a
    >> lower level.
    >>
    >> What are you specifically trying to accomplish? Do you need to use a
    >> special SASL provider with an LDAP bind or what?
    >>
    >> Joe K.
    >>
    >> "Amar" <> wrote in message
    >> news:...
    >> > Thanks again Joe.
    >> > I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont
    >> > know
    >> > if it works for .Net 2.0
    >> > 1. Why do you say that none of this is related to ASP.NET?
    >> > 2. Also, can you give me an example about "client certificate auth via
    >> > SASL
    >> > external" that you say is supported by System.DirectoryServices
    >> > (ADSI-based
    >> > LDAP)?
    >> > Or point me towards links with the same?
    >> > Thank you.
    >> >
    >> > "Joe Kaplan (MVP - ADSI)" wrote:
    >> >
    >> >> Have you looked at System.DirectoryServices.Protocols in .NET 2.0?
    >> >> All
    >> >> LDAP
    >> >> bind types supported by wldap32.dll are available there.
    >> >>
    >> >> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
    >> >> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
    >> >> certificate auth via SASL external.
    >> >>
    >> >> None of this is related to ASP.NET at all though.
    >> >>
    >> >> Joe K.
    >> >>
    >> >> "Amar" <> wrote in message
    >> >> news:...
    >> >> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
    >> >> > LDAPv3
    >> >> > operations necessary to use an authorized Enterprise directory?
    >> >> > If yes, the can you please provide me with some example or some
    >> >> > useful
    >> >> > links?
    >> >> > Thanks in Advance!
    >> >>
    >> >>
    >> >>

    >>
    >>
    >>
     
    Joe Kaplan \(MVP - ADSI\), Jan 6, 2006
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Durairaj Avasi
    Replies:
    0
    Views:
    892
    Durairaj Avasi
    Apr 9, 2004
  2. Amar

    LDAP and SASL

    Amar, Dec 28, 2005, in forum: ASP .Net Security
    Replies:
    3
    Views:
    195
    Joe Kaplan \(MVP - ADSI\)
    Dec 30, 2005
  3. Durairaj Avasi

    ssue on Net::LDAP sasl issue on windows 2000.

    Durairaj Avasi, Apr 9, 2004, in forum: Perl Misc
    Replies:
    1
    Views:
    171
    J. Gleixner
    Apr 9, 2004
  4. jean-charles Gibier

    Net::Ldap pb with SASL under multidomain MS Lan.

    jean-charles Gibier, Jul 21, 2008, in forum: Perl Misc
    Replies:
    2
    Views:
    110
    Jean-Charles Gibier
    Jul 21, 2008
  5. Replies:
    1
    Views:
    266
    Uwe Kausch
    Mar 11, 2009
Loading...

Share This Page