StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POISAPI Filter LDAP Authentication Error on DMZ Server
primarykey
Id
11092648
data
AcceptedAnswerId
11109485
AnswerCount
1
ClosedDate
CommentCount
9
CommunityOwnedDate
CreationDate
2012-06-18T23:50:24.317
FavoriteCount
0
LastActivityDate
2012-06-23T22:52:33.537
LastEditDate
2012-06-20T14:48:56.203
LastEditorUserId
628982
OwnerUserId
628982
ParentId
0
PostTypeId
1
Score
1
ViewCount
467
LastEditorDisplayName
text
Body
I am writing an ISAPI filter for a web server that we have running in a DMZ. This ISAPI filter needs to connect to our internal domain controllers to authenticate against Active Directory. There is a rule in the firewall to allow traffic from the DMZ server to our domain controller on port 636 and the firewall shows that the traffic is passing through just fine. The problem lies in the <code>ldap_connect()</code> function. I am getting an error <code>0x51 Server Down</code> when attempting to establish the connection. We use the domain controllers IP address instead of the DNS name since the web server's outside the domain. ISAPI LDAP connection code: <pre><code>// Set search criteria strcpy(search, "(sAMAccountName="); strcat(search, username); strcat(search, ")"); // Set timeout time.tv_sec = 30; time.tv_usec = 30; // Setup user authentication AuthId.User = (unsigned char *) username; AuthId.UserLength = strlen(username); AuthId.Password = (unsigned char *) password; AuthId.PasswordLength = strlen(password); AuthId.Domain = (unsigned char *) domain; AuthId.DomainLength = strlen(domain); AuthId.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI; // Initialize LDAP connection ldap = ldap_sslinit(servers, LDAP_SSL_PORT, 1); if (ldap != NULL) { // Set LDAP options ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, (void *) &version); ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON); // Make the connection // // FAILS HERE! // ldap_response = ldap_connect(ldap, &time); if (ldap_response == LDAP_SUCCESS) { // Bind to LDAP connection ldap_response = ldap_bind_s(ldap, (PCHAR) AuthId.User, (PCHAR) &AuthId, LDAP_AUTH_NTLM); } } // Unbind LDAP connection if LDAP is established if (ldap != NULL) ldap_unbind(ldap); // Return string return valid_user; </code></pre> <code>servers = <DC IP Address></code> I have tested this code on my local machine that is within the same domain as AD, and it works, both LDAP and LDAP over SSL. We have a server certificate installed on our domain controller from the Active Directory Enrollment Policy but I read elsewhere that I might need to install a client certificate as well (for our web server). Is this true? Also, we have a separate wordpress site running on the same DMZ web server that connects to LDAP over SSL just fine. It uses OpenLDAP through PHP to connect and uses the IP address of our domain controllers to connect. We have an ldap.conf file that with a line of code: <code>TLS_REQCERT never</code>. Is there a way to mimic this effect in Visual C with what I'm trying to do for the ISAPI filter? Hoping this is a programming issue more than a certificate issue. If this is out of the realm of programming, please let me know or redirect me to a better place to post this. Thanks!
Tags
<ssl><active-directory><ldap><isapi><dmz>
Title
ISAPI Filter LDAP Authentication Error on DMZ Server
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. USZac
UserOwnerUserId
1. USZac
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. This table or related slice is empty.
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POISAPI Filter LDAP Authentication Error on DMZ Server
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.