使用SSL与Active Directory联系 [英] Contact Active Directory with SSL
问题描述
我有一种方法可以根据Active Directory验证用户凭据。我想将此方法与SSL结合使用,但无法正常工作。
I have a method that validates user credentials against Active Directory. I would like to use this method with SSL but I can't get it to work.
主要问题是我的服务器不在网络中(它叫做DMZ吗?)。然后我要从那里联系我的活动目录,这就是为什么我要使用SSL。
The main problem is that I have a server that are outside of our network (is it called DMZ?). And from there I wanna contact my active directory, and that's why I want to use SSL.
在本地计算机(不是来自DMZ)上使用时,会出现此错误:
When using this on my local computer (not from DMZ) I get this error:
System.DirectoryServices.AccountManagement.PrincipalServerDownException:无法联系服务器。 ---> System.DirectoryServices.Protocols.LdapException:LDAP服务器不可用。
,位于System.DirectoryServices.Protocols.LdapConnection.Connect()
,位于System.DirectoryServices.Protocols .LdapConnection.SendRequestHelper(DirectoryRequest请求,Int32& messageID)
在System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest请求,TimeSpan requestTimeout)
在System.DirectoryServices.Protocols。 LdapConnection.SendRequest(DirectoryRequest请求)
,位于System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(字符串serverName,ServerProperties&属性)
System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
-内部异常堆栈跟踪的结尾---
在System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName,ServerProperties& property)
在System .DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndProp在System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType,字符串名称,字符串容器,ContextOptions选项,字符串用户名,字符串密码)中检索(b)
。 DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType,字符串名称,字符串容器,ContextOptions选项)
在Authorization.AuthorizeAD.ValidateCredentials(String用户名,字符串密码)
--- End of inner exception stack trace ---
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options)
at Authorization.AuthorizeAD.ValidateCredentials(String username, String password)
我认为在从服务器尝试SSL之前,最好先从本地使用SSL。
I figured that it would be good to get it working with SSL from local before I try it from our server.
我的方法:
public bool ValidateCredentials(string username, string password) {
using (
var context = new PrincipalContext(ContextType.Domain, ContextName, ContextContainer,
ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing |
ContextOptions.SecureSocketLayer)) {
return context.ValidateCredentials(username, password);
}
}
如前所述,没有 ContextOptions.SecureSocketLayer 可以正常工作(如果参数为空,其他三个默认情况下都是默认的)
As said before, without ContextOptions.SecureSocketLayer it works fine (the other three are by default if parameter is null)
有人知道我应该如何使用 PrincipalContext 使用SSL正确吗?
Does anyone know how I should use PrincipalContext correct with SSL?
推荐答案
您确定它支持SSL并且防火墙吗是开放的以允许该连接?
Are you sure it supports SSL and that the firewall is open to allow that connection?
LDAP使用端口389。LDAPS使用端口636。
LDAP uses port 389. LDAPS uses port 636.
如果telnet客户端安装,您可以使用它来检查连接性:
If you have the telnet client installed, you can use it to check the connectivity:
telnet yourdomain.com 636
如果出现空白屏幕,则可以正常工作。如果无法连接,它将告诉您。
If you get a blank screen, it worked. If it can't connect, it will tell you.
如果该连接已打开但仍无法正常工作,则可能是使用自签名SSL证书。在Windows事件日志中检查与证书相关的错误。
If that is open and it still does not work, it could be using a self-signed SSL certificate. Check the Windows event log for certificate-related errors.
我还使用Chrome浏览器检查了证书。您必须像这样运行chrome:
I've also used Chrome to check the certificate. You have to run chrome like this:
chrome.exe --explicitly-allowed-ports=636
然后浏览到 https://yourdomain.com:636 并查看如果它给您任何证书错误。然后,您实际上可以看到证书。如果是这样,您可以导入证书并明确信任它。
Then browse to https://yourdomain.com:636 and see if it gives you any certificate errors. Then you can actually see the certificate. If that's the problem, you may be able to import the certificate and explicitly trust it.
这篇关于使用SSL与Active Directory联系的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
