asp.net-coreactive-directoryldapssl-certificateldapconnection

C# Cannot connect to AD using LDAPS


My requirement was to change the user password of AD. So, I created the LDAP SSL secure connection on the AD domain server by following https://bl.ocks.org/magnetikonline/0ccdabfec58eb1929c997d22e7341e45 successfully.

Using the ldp.exe tool (on the same AD server) I am able to connect with the SSL. This means LDAPS is enabled on the AD server.

Now I am trying to connect it from the ASP.NET Core application using the library Novell.Directory.Ldap which is on client-side using the following code:

public LdapConnection GetLDAPConnection(IOptions<ADConfiguration> _settings)
{
    LdapConnection connection = new LdapConnection { SecureSocketLayer = true };
    connection.Connect(_settings.Value.DomainIPAddress, _settings.Value.Port); //port is 636
    connection.Bind(_settings.Value.AdminDn, _settings.Value.Password);

    if (connection.Bound)
    {
        return connection;
    }

    return null;
}

The Connect method is throwing this error:

System.Security.Authentication.AuthenticationException: 'The remote certificate was rejected by the provided RemoteCertificateValidationCallback.'

Does the client machine also have settings for SSL? Or what else I am missing? Please help


Solution

  • I suspect your problem is using the IP address of the domain controller: _settings.Value.DomainIPAddress

    SSL/TLS has two purposes: to encrypt the traffic, and to validate that the server is actually the server you want to be talking to. To address the second purpose, the domain name you use to connect must match the domain name in the certificate. In your case, when it validates the certificate, it sees that you connected to, let's say, 10.0.0.1, but the certificate it gets from the server says it is example.com and the validation fails because it doesn't match.

    You will have to either:

    1. Change _settings.Value.DomainIPAddress to the domain name used in the certificate. If you don't have DNS setup for that domain name, you could add an entry in your hosts file.
    2. Tell LdapConnection to ignore certificate errors. The data will still be encrypted, but it won't validate the certificate (domain mismatch, expired cert, etc.). This is not recommended for a production application, but there is an example of that here: https://stackoverflow.com/a/67818854/1202807