none
ActiveDirectoryMembershipProvider - How to limit to use only secure connection on port 636 (LDAPS)

    Pertanyaan

  • We are trying to use the ActiveDirectoryMembershipProvider through Secure connection on port 636, but whatever we tried so far, provider still tries to use/connect also on the unsecure port 389.

    The AD is behind a firewall and only ports 636 and 445 are open, 389 is forbidden!

    We used Wireshark to trace the LDAP communication: provider first starts a connection to port 636, than to 445 and then to 389 ... why?! How to stop the provider to use port 389 at all?

    WCF services are unable to start, because the membership provider results in error on Initialize method immediately.

    .Net FW is 4.6.2

    Thanks in advance,

    Kamis, 22 November 2018 16.07

Semua Balasan

  • Have you set "connectionProtection" to "Secure" in your web.config file?
    • Diedit oleh cheong00 Jumat, 23 November 2018 01.26
    Jumat, 23 November 2018 01.25
  • This is how the web.config looks like (replaced host, user etc. to dummy data)

    <add name="ADMembershipProviderForClients" 
         type="ACME.Core.Security.Authentication.ADMembershipProviderForClients" 
         applicationName="AppName" 
         attributeMapUsername="sAMAccountName" 
         connectionStringName="ADConnectionString" 
         connectionUsername="techuser" 
         connectionPassword="Password1" 
         connectionProtection="Secure" />
    
    <add name="ADConnectionString" connectionString="LDAP://acme.com:636/DC=test,DC=com" />

    As you can see connectionProtection is Secure and port is 636. Still provider tries to communicate to port 389.

    This is the error message we have

    The specified domain or server could not be contacted.
       at System.Web.Security.DirectoryInformation.InitializeDomainAndForestName()
       at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
    


    Jumat, 23 November 2018 09.17
  • Try connect to server through ADSI Edit as mentioned in here to verify the setup to server is done properly. (It's at about one-third of the page, or use "ADSI Edit" as keyword to search for the paragraphs.

    Or use "ldp.exe" at the end of the page to test it.

    Btw, since "sign and seal" method actually uses port 389, if you set the provider to "secure" as connection protection setting, probably means something in the initial try of SSL connection goes wrong, say: the "name" of the e-cert is not exact match of the hostname you supplied to LDAP connection string.

    [quote]

    The Active Directory Domain Service administration tools still use port 389, but they are protected by the sign and seal binding.

    [/quote]


    • Diedit oleh cheong00 Jumat, 23 November 2018 09.57
    Jumat, 23 November 2018 09.46
  • The communication is fine on port 636, we can trace it on Wireshark and also on ldap admin tools.

    When ActiveDirectoryMembershipProvider is initialized the communication is started up on 636 using TLS. But during the initialization sequence there is a call to InitializeDomainAndForestName() in System.Web.Security.DirectoryInformation class. That method triggers the following calls: 

    DirectoryContext context2 = new DirectoryContext(DirectoryContextType.DirectoryServer, serverName, GetUsername(), GetPassword());
    	try
    	{
    		Domain domain2 = Domain.GetDomain(context2);
    		domainName = GetNetbiosDomainNameIfAvailable(domain2.Name);
    		forestName = domain2.Forest.Name;
    	}
    	catch (ActiveDirectoryObjectNotFoundException)
    	{
    		throw new ProviderException(SR.GetString("ADMembership_unable_to_contact_domain"));
    	}

    By tracing down the behaviour of Domain.GetDomain() it seems that it can only work on port 389/LDAP, and it is just unable to use SSL, by design.

    Once this call is executed, the communication goes back to 636/LDAPS. Traffic trace shows, that initialization starts LDAPS connection on 636, then it opens an LDAP connection on 389, then goes back to 636. All subsequent operation after the initialization (e.g. ValidateUser) goes on 636/LDAPS.   

    If 389 is closed then Domain.GetDomain() fails and the whole initialization sequence fails.

    It really seems that ActiveDirectoryMembershipProvider is just unable to initialize itself without port 389, although everything its fine with SSL connection prerequisites, and able to use SSL.

    Jumat, 23 November 2018 12.09
  • Hi Gabor Hollosy,

    This forum discusses and asks questions about .NET Framework Base Classes, since your issue is more related to AD & LDAP, I would suggest that you could post the issue on AD & LDAP forum for suitable support.

    https://forums.asp.net/93.aspx/1?Active+Directory+and+LDAP

    Thanks for your understanding.

    Best regards,

    Zhanglong


    MSDN Community Support
    Please remember to click "Mark as Answer" the responses that resolved your issue, and to click "Unmark as Answer" if not. This can be beneficial to other community members reading this thread. If you have any compliments or complaints to MSDN Support, feel free to contact MSDNFSF@microsoft.com.

    Selasa, 27 November 2018 03.19