Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>This is a phenomenal question. </p> <p>I've been battling this same issue for a few days now, and I've finally got some definitive proof on why the DirectoryEntry object will not work in this scenario.</p> <p>This particular Ldap server (running on LDAPS 636) also issues it's own self signed certificate. Using LdapConnection (and monitoring the traffic via Wireshark), I noticed a handshake taking place that does not occur when using DirectoryEntry :</p> <p><img src="https://i.stack.imgur.com/Hqfxh.png" alt="enter image description here"></p> <p>The first sequence is the from the secured ldap server, the second sequence is from my machine. The code that prompts the second sequence is :</p> <pre><code>ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; }; </code></pre> <p>There are others way to "fake out" the callback, but this what I've been using.</p> <p>Unfortunately, DirectoryEntry does not have an option or method to verify a self signed cert, thus the acceptance of the certificate never happens (second sequence), and the connection fails to initialize.</p> <p>The only feasible way to accomplish this is by using LdapConnection, in conjunction with a SearchRequest and SearchResponse. This is what I've got so far :</p> <pre><code>LdapConnection ldapConnection = new LdapConnection("xxx.xxx.xxx:636"); var networkCredential = new NetworkCredential("Hey", "There", "Guy"); ldapConnection.SessionOptions.SecureSocketLayer = true; ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; }; ldapConnection.AuthType = AuthType.Negotiate; ldapConnection.Bind(networkCredential); SearchRequest request = new SearchRequest("DC=xxx,DC=xxx,DC=xxx", "(sAMAccountName=3074861)", SearchScope.Subtree); SearchResponse response = (SearchResponse)ldapConnection.SendRequest(request); if(response.Entries.Count == 1) {SearchResultEntry entry = response.Entries[0]; string DN = entry.DistinguishedName;} </code></pre> <p>From there you can gather AD Properties from the SearchResponse, and process accordingly. This is a total bummer though, because the SearchRequest seems to be much slower then using the DirectoryEntry.</p> <p>Hope this helps!</p>
    singulars
    1. This table or related slice is empty.
    1. POSet callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
      singulars
      1. PTQuestion
    1. PTAnswer
    1. UScadrell0
    1. USX3074861X
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POSet callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate?
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    3. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COHi. Thanks for the input, much appreciated. I'm also coming to the conclusion that the whole problem could be tackled much more reliably using the lower-level Protocols namespace. What I have noticed is that when the self-signed certificate is correctly added to the local machine certificate store I can set the VerifyServerCertificate callback to validate the cert with success, something like " delegate(LdapConnection connection, X509Certificate certificate) { return new X509Certificate2(certificate).Verify() }", but I still get no joy with DirectoryEntry.
      singulars
      1. PO
      1. USAndrew
    2. COI have also noticed that I get the following in my system events during failed DirectoryEntry attempts : "The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is MYSERVER.MYDOMAIN.CO.UK. The SSL connection request has failed. The attached data contains the server certificate." I'm looking into that now, but I think the answer is still the Protocols namespace for maximum confidence and reduced environmental dependency.
      singulars
      1. PO
      1. USAndrew
    3. COAndrew, thanks for the comment. It seems we're working towards a very similar goal. That error you're seeing in system events coincides with a lot of the information I've read on the net concerning who the certificate is issued to. Many of the servers running SSL that I'm trying to interact with have a cert that is issued to a different domain than the one I'm binding on in the LdapConnection... and this certainly does cause the DirectoryEntry to fail.
      singulars
      1. PO
      1. USX3074861X
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload