C#:如何连接到使用SSL Active Directory中启用? [英] C#: How to connect to Active Directory with SSL enabled?
问题描述
我的工作该项目将与客户的Active Directory,以验证用户身份整合。我一直在尝试写一些code,将检索用户密码,我明白,Active Directory中仅会通过端口636 SSL连接揭露相关属性。
下面code编程方式连接不使用SSL,但后来我看不到密码属性:
静态无效的主要(字串[] args)
{
的DirectoryEntry条目=新的DirectoryEntry(@LDAP://< IP> / CN = LDAP测试,CN =用户,DC =用户,DC = COM);
entry.AuthenticationType = AuthenticationTypes.None;
entry.Username =CN = LDAP测试,CN =用户,DC =用户,DC = COM;
entry.Password =<密码>中;
如果(入门!= NULL)
{
的foreach(在entry.Properties.PropertyNames对象作为propName)
{
Console.WriteLine((字符串)作为propName);
}
}
}
当我改变code使用SSL我得到一个异常说明;未知的错误(0x80005000)
我已经启用了SSL的服务器上托管的Active Directory,安装在同一服务器上的微软CA,并获得来自CA的证书。
我可以连接到Active Directory通过使用Apache目录工作室SSL,但是,这并不表明该密码属性。
下面code显示了我一直在尝试使用使用SSL连接:
静态无效的主要(字串[] args)
{
的DirectoryEntry条目=新的DirectoryEntry(@LDAPS://< IP>:636 / CN = LDAP测试,CN =用户,DC =用户,DC = COM);
entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
entry.Username =CN = LDAP测试,CN =用户,DC =用户,DC = COM;
entry.Password =<密码>中;
如果(入门!= NULL)
{
的foreach(在entry.Properties.PropertyNames对象作为propName)
{
Console.WriteLine((字符串)作为propName);
}
}
}
我不知道哪里去了这点,一些援助将大大AP preciated。
我一直在尝试写一些code 这将检索用户的密码...
这是不相关的,以您的SSL问题,但我不认为从Active Directory获取用户的密码是可能的。它只存储一个哈希,这就是为什么你查询该用户的属性时,不接受任何形式的密码属性。
更新答案
阅读您的评论后,看来你正在寻找其中包含安全哈希单向codePWD属性。按照 MSDN信息,写入该属性需要特别的SSL连接,但你还是不能读它,因为它是一个只写属性。
特别是从MSDN:
单向codePWD属性永远不会被LDAP搜索返回。
下面也是一个论坛后,我发现,似乎在说同样的话:
的用户的口令存储在 在用户对象的Active Directory 单向codePWD属性。本 属性可以在被写入 限制条件,但它不能 由于安全原因被读取。 (<一href="http://social.technet.microsoft.com/Forums/en-US/winserverfiles/thread/63e3cf2d-f186-418e-bc85-58bdc1861aae"相对=nofollow>来源)
The project I am working on will integrate with the customers Active Directory in order to authenticate users. I have been trying to write some code that will retrieve a users password and I understand that Active Directory will only expose the relevant properties over a SSL connection on port 636.
The following code connects programmatically without using SSL but then I can't see the password properties:
static void Main(string[] args)
{
DirectoryEntry entry = new DirectoryEntry(@"LDAP://<IP>/CN=LDAP Test,CN=Users,DC=customer,DC=com");
entry.AuthenticationType = AuthenticationTypes.None;
entry.Username = "CN=LDAP Test,CN=Users,DC=customer,DC=com";
entry.Password = "<password>";
if (entry != null)
{
foreach (Object propName in entry.Properties.PropertyNames)
{
Console.WriteLine((String)propName);
}
}
}
When I change the code to use SSL I get an exception stating ;Unknown error (0x80005000)'.
I have enabled SSL on the server hosting Active Directory, installed a Microsoft CA on the same server and obtained a certificate from the CA.
I can connect to the Active Directory over SSL using Apache Directory Studio but that does not show the password properties.
The following code shows what I have been trying to use to connect using SSL:
static void Main(string[] args)
{
DirectoryEntry entry = new DirectoryEntry(@"LDAPS://<IP>:636/CN=LDAP Test,CN=Users,DC=customer,DC=com");
entry.AuthenticationType = AuthenticationTypes.SecureSocketsLayer;
entry.Username = "CN=LDAP Test,CN=Users,DC=customer,DC=com";
entry.Password = "<password>";
if (entry != null)
{
foreach (Object propName in entry.Properties.PropertyNames)
{
Console.WriteLine((String)propName);
}
}
}
I'm not sure where to go with this and some assistance would be greatly appreciated.
I have been trying to write some code that will retrieve a users password...
This is unrelated to your SSL problem, but I don't think retrieving a user's password from Active Directory is possible. It only stores a hash and that's why you aren't receiving any kind of "password" property when querying the user's properties.
Updated Answer
After reading your comment, it appears you're looking for the unicodePwd attribute which contains the security hash. According to the MSDN information, writing to that attribute requires the special SSL connection but you still won't be able to read it because it's a write-only attribute.
Specifically from MSDN:
The unicodePwd attribute is never returned by an LDAP search.
Here's also a forum post that I found that seems to say the same thing:
The users' password is stored in the Active Directory on a user object in the unicodePwd attribute. This attribute can be written under restricted conditions, but it cannot be read due to security reasons. (Source)
这篇关于C#:如何连接到使用SSL Active Directory中启用?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
