I am reviewing code that authenticates user credentials against an LDAP server by creating a DirectoryEntry object as follows
DirectoryEntry entry = new DirectoryEntry(_path, domainAndUsername, pwd);
try
{
object obj = entry.NativeObject;
}
catch (Exception ex)
{
throw new Exception("Error authenticating user. " + ex.Message);
}
If an exception is not thrown then the code assumes that the user credentials are ok..
The code works fine but my questions relates to how secure it is. SSL is used so the communication between client and web server is secure but is there a vulnerability in the communication between webserver and ldap server?
There is another overloaded parameter to the DirectoryEntry constructor called AuthenticationType. Because no parameter is specified in the above code it uses AuthenticationType = None which equates to basic authentication.
Would it be better to use AuthenticationType = Secure or AuthenticationType = SecureSocketsLayer or AuthenticationType = Encryption or maybe a bitwise combination of them?
Michael
By default AuthenticationType.Secure is used when AuthenticationType is not provided in the constructor. This option already encrypts the password, as it uses NTLM/Kerberos for authentication.
You may also specify the Sealing flag (together with Secure) to encrypt all the traffic (not just authentication). This requires Kerberos.
Is the LDAP server you are connecting to an AD? I verified that the above works for AD. (traffic are encrypted, as seen in wireshark)