UserPrincipal with context that uses SSL

Question

I have a PrincipalContext that uses SSL. This works fine when using a method like Context.ValidateCredentials(). But when I need to find a user using UserPrincipal.FindByIdentity() I get the following error:

System.Runtime.InteropServices.COMException: The server is unwilling to process the request. at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) at System.DirectoryServices.DirectoryEntry.Bind() at System.DirectoryServices.DirectoryEntry.get_SchemaEntry() at System.DirectoryServices.AccountManagement.ADStoreCtx.IsContainer(DirectoryEntry de) at System.DirectoryServices.AccountManagement.ADStoreCtx..ctor(DirectoryEntry ctxBase, Boolean ownCtxBase, String username, String password, ContextOptions options) at System.DirectoryServices.AccountManagement.PrincipalContext.CreateContextFromDirectoryEntry(DirectoryEntry entry) at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() --- End of inner exception stack trace --- at System.DirectoryServices.AccountManagement.PrincipalContext.DoLDAPDirectoryInit() at System.DirectoryServices.AccountManagement.PrincipalContext.DoDomainInit() at System.DirectoryServices.AccountManagement.PrincipalContext.Initialize() at System.DirectoryServices.AccountManagement.PrincipalContext.get_QueryCtx() at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithTypeHelper(PrincipalContext context, Type principalType, Nullable`1 identityType, String identityValue, DateTime refDate) at System.DirectoryServices.AccountManagement.Principal.FindByIdentityWithType(PrincipalContext context, Type principalType, String identityValue) at System.DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(PrincipalContext context, String identityValue)

My method:

public List<string> GetUserInfo(string user) {
        var list = new List<string>();

        using (var context = new PrincipalContext(ContextType.Domain, "xxxx.xxxx.xxxx:636", "DC=xxxx,DC=xxxx,DC=xxxx", ContextOptions.SimpleBind | ContextOptions.Sealing | ContextOptions.SecureSocketLayer)) {
            var uP = UserPrincipal.FindByIdentity(context, IdentityType.SamAccountName, user);

            //Do stuff with uP
        return list;
    }

But this is working fine:

public bool ValidateCredentials(string username, string password) {
        using (var context = new PrincipalContext(ContextType.Domain, "xxxx.xxxx.xxxx:636", "DC=xxxx,DC=xxxx,DC=xxxx", ContextOptions.SimpleBind | ContextOptions.Sealing | ContextOptions.SecureSocketLayer)) {
            return context.ValidateCredentials(username, password);
        }
    }

How come I cant work with UserPrincipal using the Context with SSL? If I remove SSL it works fine..

score 6 · Accepted Answer · answered Mar 07 '16 at 10:15

6

I changed my ContextOptions to Negotiate and SSL. Then it worked

answered Mar 07 '16 at 10:15

MrProgram

5,044
13
58
98

I had the same problem. Tried changing the options to Negotiate and SSL. Exact same error message. Are you sure this solved your problem and you didn't just fall back to the 389 port? – Quark Soup Feb 02 '17 at 21:23
Yes this worked for me, with port 636. Have you checked in the firewall if you can see anything there? I also used this solution from a server at DMZ – MrProgram Feb 06 '17 at 10:15
Yeah. I even turned off the firewall. When the two machines are on different domains but connected through the intranet, it works. When the two machines are on different domains but connect through the Internet, it fails. – Quark Soup Feb 07 '17 at 11:32
Ok. Well I used trail and error :) so maybe you could try some other options and see how it works? – MrProgram Feb 08 '17 at 13:38
I think it all depends on how the secure AD is configured. For me the SimpleBind and SSL worked. `List result = new List(); PrincipalContext context = new PrincipalContext(ContextType.Domain, "x.x.x:636", "DC=xxx,DC=xxx,DC=xxx", ContextOptions.SecureSocketLayer | ContextOptions.SimpleBind, "domain\\username", password);` – salli Mar 20 '22 at 14:23

score 0 · Answer 2 · edited Jun 15 '21 at 12:27

Unfortunately there are not enough code examples that show how to configure PrincipalContext or DirectoryEntry to use LDAPS (SSL Active Directory). I have found these solutions for this issue:

Configure PrincipalContext to use LDAPS:

var path = "test.domainName.local:636";
ContextOptions options = ContextOptions.Negotiate | ContextOptions.SecureSocketLayer;
using (var context = new PrincipalContext(ContextType.Domain, path, "DC=xyz,DC=local", options))
{
 pr("Name: " + context.Name);
 pr("ConnectedServer: " + context.ConnectedServer);
 pr("Container: " + context.Container);
 pr("UserName: " + context.UserName);
}

Configure DirectoryEntry to use LDAPS:

string path = "LDAP://test.domainName.local:636";
var dic = new DirectoryEntry(path);
pr("Name: " + dic.Name);
pr("Path: " + dic.Path);
pr("AuthenticationType: " + dic.AuthenticationType);
pr("SchemaClassName: " + dic.SchemaClassName);
pr("Username: " + dic.Username);

UserPrincipal with context that uses SSL

2 Answers2