Connect to SLDAP server V3 by using DirectoryServices.AccountManagement.PrincipalContext

Question

I have one issue when trying to connect to the LDAP server through code. It works fine when I use admin tool to connect to it.

it works fine when using this admin tool to connect to it. it doesn't work when I use this code to connect to it, it says The server could not be contacted. ---> System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. My code:

Using context As DirectoryServices.AccountManagement.PrincipalContext = New DirectoryServices.AccountManagement.PrincipalContext(DirectoryServices.AccountManagement.ContextType.Domain, SingleSignOn.ADDomain, SingleSignOn.ADSecurityGroup, DirectoryServices.AccountManagement.ContextOptions.SecureSocketLayer Or DirectoryServices.AccountManagement.ContextOptions.Negotiate, UserName, Password)

                    Using foundUser = DirectoryServices.AccountManagement.UserPrincipal.FindByIdentity(context, UserName)
                        Return foundUser IsNot Nothing
                    End Using

                End Using

My question is: how to set up the code to use version 3? Thank you in advance for your help/ideas.

It's possible that the certificate isn't trusted by Windows (and LDAP Admin doesn't care). Check [this answer](https://stackoverflow.com/a/62895231/1202807) for instructions on how to check the certificate. — Gabriel Luci, Dec 09 '21 at 16:26
when I run that bat script, it says '$webRequest' is not recognized as an internal or external command, operable program or batch file. — LoverBugs, Dec 09 '21 at 16:51
@GabrielLuci when I use this tool, first it shows this message https://prnt.sc/22hg100; saying the certificate is self-signed.... after hitting the Yes button it connects ... — LoverBugs, Dec 09 '21 at 16:58
It's not a batch file, it's a PowerShell script. You need to run it in a PowerShell window. The certificate is definitely your problem then. — Gabriel Luci, Dec 09 '21 at 17:16

score 0 · Answer 1 · answered Dec 09 '21 at 17:24

0

Windows needs to trust the SSL certificate, otherwise the connection will fail. Unfortunately the error message doesn't tell you that.

You have a couple options:

Change the certificate being used on the server to a certificate from a trusted root authority. This is the best way to do it, especially if this is a production server.
Tell Windows to trust the self-signed cert. This would have to be done on every computer that will connect. To do this, use the PowerShell script in this answer to download the certificate (change the URL to match your server). This will give you a .cer file. Then follow the instructions here to import it on the computer that you are running this code on. In that article, start at the heading "To start the certificate import process through Microsoft Management Console (MMC)". In step 4, you have the option to import it for the current user only, or for the whole computer (which requires local admin rights).

answered Dec 09 '21 at 17:24

Gabriel Luci

38,328
4
55
84

I did it, https://prnt.sc/22huwxc but getting the same exception. :/ – LoverBugs Dec 09 '21 at 18:55
Double-click on the .cer file. Does it say that it is trusted or does it show you a red error? – Gabriel Luci Dec 09 '21 at 19:04
https://prnt.sc/22hw9pq this is it; and under the details tab it says :https://prnt.sc/22hwf0g – LoverBugs Dec 09 '21 at 19:07
That looks right. Maybe you need to reboot? I'm not sure. – Gabriel Luci Dec 09 '21 at 19:13
Did you install the cert for "My user account" or the "Computer account"? – Gabriel Luci Dec 09 '21 at 19:15
Computer Account. Is that correct? – LoverBugs Dec 09 '21 at 19:16
btw I have another output from WireShark, previously I had retransmission, now I have this : 52945 [RST, ACK] Seq=2469 Ack=181 Win=0 Len=0 ----- marked with red. – LoverBugs Dec 09 '21 at 19:22
Computer account is fine. Best I can suggest is to reboot if you haven't already. Seems odd. It should work. – Gabriel Luci Dec 09 '21 at 19:50
weird, I am getting the exception again : https://codeshare.io/EBJObP – LoverBugs Dec 10 '21 at 13:07
any idea what it could be? – LoverBugs Dec 10 '21 at 13:12
Not really... unless it just doesn't like the self-signed cert, even if it's trusted. Does LDAP Admin still give you an error? – Gabriel Luci Dec 10 '21 at 14:07
when using this LDAP admin tool http://www.ldapadmin.org/docs/index.html and choosing version 3, it is able to connect. any idea how to switch to it (v3) from the code? – LoverBugs Dec 10 '21 at 14:34
I didn't find any constructor for New DirectoryServices.AccountManagement.PrincipalContext where version can be explicitly specified? – LoverBugs Dec 10 '21 at 14:38
Let us [continue this discussion in chat](https://chat.stackoverflow.com/rooms/240016/discussion-between-loverbugs-and-gabriel-luci). – LoverBugs Dec 10 '21 at 15:28
the AD is actually hosted on Azure – LoverBugs Dec 10 '21 at 17:57

Connect to SLDAP server V3 by using DirectoryServices.AccountManagement.PrincipalContext

1 Answers1