Search code examples
active-directoryldapldapconnection

LDAP Connection error ("The server is not operational.") when connecting to port 636

I am trying to connect to LDAP with port 636 but i am getting error "The server is not operational" but if I try to connect to port 389 then it connects normally and get data

This is the code i am using

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.domain.com:636/ou=**,ou=**,dc=**,dc=**", "uid=user,OU=**,OU=**,DC=**,DC=**", "password", AuthenticationTypes.None);

With this if i try to connect i get error "The server is not operational"

But if i change the code to this 

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.domain.com:389/ou=**,ou=**,dc=**,dc=**", "uid=user,OU=**,OU=**,DC=**,DC=**", "password", AuthenticationTypes.None);

Or even this remove the port (which by default i think use 389 port)

DirectoryEntry entry = new DirectoryEntry("LDAP://ldap.domain.com/ou=**,ou=**,dc=**,dc=**", "uid=user,OU=**,OU=**,DC=**,DC=**", "password", AuthenticationTypes.None);

Then it connects normally and get data.

Can anyone please help me connect LDAP through 636 port becasue in test sever environment i need to connect through 636 cannot use 389.

Solution

  • Three things need to happen for LDAP over SSL to work:

    1. You need network connectivity (no firewall in the way). To test this, you can use PowerShell's Test-NetConnection:
    Test-NetConnection ldap.domain.com -Port 636
    1. You need to trust the certificate. If it's using a self-signed certificate, then it may not be trusted from the computer that you're downloading it from. There is some PowerShell code here that can download a cert so that you can inspect it. I modified it for use here (just change the $domain to the actual domain):
    $domain = "ldap.domain.com"
$webRequest = [Net.WebRequest]::Create("https://$($domain):636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "~\Downloads\$domain.cer"

    That will put the certificate in your "Downloads" folder. Open the .cer file and it should tell you right away if it's trusted on your machine. If not, then you will need to obtain the root certificate and install it as a Trusted Root Certificate on any machine where this code runs.

    1. The fully-qualified domain name you are using to connect to AD must match the SSL certificate exactly (or one of the "Subject Alternative Names" of the cert). Sometimes, the cert will be issued in the name of the domain controller (e.g. dc1.domain.com), in which case, you must target that specific DC ("LDAP://dc1.domain.com:636") instead of just the name of the domain.