Search code examples
powershellldapcertificate

How do ignore client certificate prompt when connecting to LDAPS using PowerShell?


I have a simple Powershell script that binds to a non-AD LDAP via LDAPS using anonymous auth and does a simple query. My issue is that when the binds initiate, the LDAP server prompts me for a client certificate and I get a select certificate dialog. If my smartcard is in the reader, it wants to use my client cert and asks for a PIN, if I PIN in, it actually fails with a LDAP server unavailable message. If I take the smartcard out, I can cancel out the certificate prompt a couple of times and the bind continues and I can do the query. I am wondering if there is a session option that will allow me to disable the certificate prompts. I have talked to the directory admins, they said the LDAP server is configured for cert auth when using SSL but it is only optional. The client should handle whether to use cert auth or not. Just wondering if there is a clean way to bypass the cert prompts in PowerShell.

Here is my simple code:

[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols")
[System.Reflection.Assembly]::LoadWithPartialName("System.Net")

$c = New-Object System.DirectoryServices.Protocols.LdapConnection "dir.mycompany.com:636"

#Set session options

$c.SessionOptions.SecureSocketLayer = $true;
$c.SessionOptions.ProtocolVersion = 3

$c.AuthType = [System.DirectoryServices.Protocols.AuthType]::Anonymous

$c.Bind();

$basedn = "ou=People,dc=mycompany,dc=com"
$filter = "(uid=testuser1)"
$scope = [System.DirectoryServices.Protocols.SearchScope]::Subtree
$attrlist = ,"employeeID"

$r = New-Object System.DirectoryServices.Protocols.SearchRequest -ArgumentList $basedn, $filter, $scope, $attrlist

$re = $c.SendRequest($r);

$re.Entries.count;
$re.Entries;

Solution

  • The QueryClientCertificate property of SessionOptions is there if you need to write code to decide which client certificate to send, and it is supposed to return the certificate to use.

    I don't know if this will work, but try making that return $null:

    $c.SessionOptions.QueryClientCertificate = { $null }