Search code examples
c#sslactive-directorydirectoryentry

Directory entry | Error when using Encryption or SSL

I'm trying to encrypt my Active Directory access with the following code:

// Already tried different paths (LDAP://domain.com, LDAPS://domain.com etc.)
string path = "LDAP://domain.com:636";
var ldapConnection = new DirectoryEntry(path, "loginName", "password");

ldapConnection.AuthenticationType = AuthenticationTypes.Secure; // Works perfectly
ldapConnection.AuthenticationType = AuthenticationTypes.Encryption; // Doesn't work
ldapConnection.AuthenticationType = AuthenticationTypes.SecureSocketsLayer; // Doesn't work

Both Authentication Types that doesn't work throw the same exception:

System.DirectoryServices.DirectoryServicesCOMException (0x8007052E): The username or password is incorrect.

Firstly I saw that I'm missing a Certificate Server on my AD DS and installed it. But after installation I get the same error. I might need to install/configure more things. If so, then please share resources what needs to be done.

My questions: Do I need any prerequisites (e.x. on the AD DS) to be able to use AuthenticationTypes.Encryption or AuthenticationTypes.SecureSocketsLayer? Or do I need a different user for using this Authentication Types?
Any Help is greatly appreciated.

Solution

  • Try this:

    ldapConnection.AuthenticationType = AuthenticationTypes.Secure | AuthenticationTypes.SecureSocketsLayer;

    Secure defines the type of authentication that is used, whereas SecureSocketsLayer defines the type of connection. They serve different purposes, so they can be used together.

    But really, you don't need to specify anything. The default is Secure, and if you specify port 636, it will use SSL since that's the only way the server would accept the connection on that port. That's why it works when you only specify Secure.

    That's also the reason it fails if you specify SecureSocketsLayer by itself. Once you specify anything, the default (Secure) is discarded and only what you specify is used. Without Secure it will try basic authentication (AKA "simple bind"), which is probably disabled on your domain.

    More reading in the documentation for the AuthenticationTypes Enum.