使用 SSL 联系 Active Directory [英] Contact Active Directory with SSL

问题描述

我有一种方法可以根据 Active Directory 验证用户凭据.我想将此方法与 SSL 一起使用，但我无法使其正常工作.

I have a method that validates user credentials against Active Directory. I would like to use this method with SSL but I can't get it to work.

主要问题是我有一台位于我们网络之外的服务器(是否称为 DMZ?).从那里我想联系我的活动目录，这就是我想使用 SSL 的原因.

The main problem is that I have a server that are outside of our network (is it called DMZ?). And from there I wanna contact my active directory, and that's why I want to use SSL.

在我的本地计算机(不是来自 DMZ)上使用它时，我收到此错误:

When using this on my local computer (not from DMZ) I get this error:

System.DirectoryServices.AccountManagement.PrincipalServerDownException:无法联系服务器.---> System.DirectoryServices.Protocols.LdapException:LDAP 服务器不可用.
在 System.DirectoryServices.Protocols.LdapConnection.Connect()
在 System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
在 System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
在 System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest 请求)
在 System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)

System.DirectoryServices.AccountManagement.PrincipalServerDownException: The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable.
at System.DirectoryServices.Protocols.LdapConnection.Connect()
at System.DirectoryServices.Protocols.LdapConnection.SendRequestHelper(DirectoryRequest request, Int32& messageID)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request, TimeSpan requestTimeout)
at System.DirectoryServices.Protocols.LdapConnection.SendRequest(DirectoryRequest request)
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)

---内部异常堆栈跟踪结束---
在 System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
在 System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
在 System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
在 System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options)
在 Authorization.AuthorizeAD.ValidateCredentials(String username, String password)

--- End of inner exception stack trace ---
at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options)
at Authorization.AuthorizeAD.ValidateCredentials(String username, String password)

我认为在我从我们的服务器尝试之前，最好先从本地使用 SSL.

I figured that it would be good to get it working with SSL from local before I try it from our server.

我的方法:

public bool ValidateCredentials(string username, string password) {
        using (
            var context = new PrincipalContext(ContextType.Domain, ContextName, ContextContainer,
                ContextOptions.Negotiate | ContextOptions.Signing | ContextOptions.Sealing |
                ContextOptions.SecureSocketLayer)) {
            return context.ValidateCredentials(username, password);
        }
    }

如前所述，没有 ContextOptions.SecureSocketLayer 它工作正常(如果参数为空，其他三个默认情况下)

As said before, without ContextOptions.SecureSocketLayer it works fine (the other three are by default if parameter is null)

有谁知道我应该如何正确使用 PrincipalContext 和 SSL?

Does anyone know how I should use PrincipalContext correct with SSL?

推荐答案

您确定它支持 SSL 并且防火墙已打开以允许该连接?

Are you sure it supports SSL and that the firewall is open to allow that connection?

LDAP 使用端口 389.LDAPS 使用端口 636.

LDAP uses port 389. LDAPS uses port 636.

如果您安装了 telnet 客户端，您可以使用它来检查连接:

If you have the telnet client installed, you can use it to check the connectivity:

telnet yourdomain.com 636

如果你得到一个空白屏幕，它就起作用了.如果它无法连接，它会告诉你.

If you get a blank screen, it worked. If it can't connect, it will tell you.

如果它已打开但仍然不起作用，则可能是使用了自签名 SSL 证书.检查 Windows 事件日志中是否存在与证书相关的错误.

If that is open and it still does not work, it could be using a self-signed SSL certificate. Check the Windows event log for certificate-related errors.

我还使用 Chrome 来检查证书.你必须像这样运行 chrome:

I've also used Chrome to check the certificate. You have to run chrome like this:

chrome.exe --explicitly-allowed-ports=636

然后浏览到 https://yourdomain.com:636 并查看它是否给您任何证书错误.然后你就可以真正看到证书了.如果这是问题所在，您或许可以导入证书并明确信任它.

Then browse to https://yourdomain.com:636 and see if it gives you any certificate errors. Then you can actually see the certificate. If that's the problem, you may be able to import the certificate and explicitly trust it.

这篇关于使用 SSL 联系 Active Directory的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！