kerberos authentication over ldap

2
votes

I am working on console application which fetch the users data from active directory using ldap DirectoryServices.Protocols. Currently i am able to fetch the data using the basic authentication over SSL, TLS and simple connection (neither SSL nor TLS). but now i wanted to fetch the data using the kerberos authentication over SSL, TLS and simple connection. I am currently using the below code for this.

LdapDirectoryIdentifier ldap_id = new LdapDirectoryIdentifier(
                                            host, 
                                            Int32.Parse(port), 
                                            true, 
                                            false);
LdapConnection con = new LdapConnection(ldap_id);

con.AuthType = AuthType.Kerberos;
con.SessionOptions.Sealing = true;
con.SessionOptions.Signing = true;
con.SessionOptions.ProtocolVersion = 3;

con.Bind();

This gives me error as "ldap server is unavailable". Can someone please suggest what is wrong with the above code? Also please let me know if any setting I need to do on the server and client for kerberos authentication. Do I need to pass the network credentials as give below as I am passing it for basic authentication?

LdapDirectoryIdentifier ldapIdentifier = new LdapDirectoryIdentifier(
                                            host, 
                                            Int32.Parse(port), 
                                            true, 
                                            false);
NetworkCredential credential = new NetworkCredential(username, password);
LdapConnection con = new LdapConnection(ldapIdentifier, credential, AuthType.Kerberos);    
con.SessionOptions.Sealing = true;
con.SessionOptions.Signing = true;
con.SessionOptions.ProtocolVersion = 3;
con.Bind();
2
c#-4.0authenticationactive-directoryldapkerberos

2 Answers

1
votes

Below is the code that works for Basic, Kerberos Authentication over SSL, TLS and simple (neither SSL nor TLS connection) over LDAP.

Note : The connectionAccountName passed to the NetworkCredential should be the user principle name. you can check user's principle name by checking the Attribute userPrincipleName value in the AttributeEditor section of user of Active Directory and Port for ssl is 636 and for other it will be 389.

var networkCredential = new NetworkCredential(connectionAccountName, connectionAccountPassword);
LdapDirectoryIdentifier ldapDirectoryIdentifier = null;

switch (connectionType)
{
    case LDAPConnectionType.SSL:
                ldapDirectoryIdentifier = new LdapDirectoryIdentifier(ldapServerName, Convert.ToInt16(LDAPPorts.SSL));
                ldapConnection = new LdapConnection(ldapDirectoryIdentifier, networkCredential, authType);
                ldapConnection.SessionOptions.ProtocolVersion = 3;
                ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
                ldapConnection.SessionOptions.SecureSocketLayer = true;

                break;

    case LDAPConnectionType.TLS:
                ldapDirectoryIdentifier = new LdapDirectoryIdentifier(ldapServerName, Convert.ToInt16(LDAPPorts.Default));
                ldapConnection = new LdapConnection(ldapDirectoryIdentifier, networkCredential, authType);
                ldapConnection.SessionOptions.VerifyServerCertificate = new VerifyServerCertificateCallback(ServerCallback);
                ldapConnection.SessionOptions.StartTransportLayerSecurity(null);

                break;

    default:
                ldapDirectoryIdentifier = new LdapDirectoryIdentifier(ldapServerName, Convert.ToInt16(LDAPPorts.Default));
                ldapConnection = new LdapConnection(ldapDirectoryIdentifier, networkCredential, authType);

                break;
}

ldapConnection.Bind();

Thanks

Umesh Tayade

0
votes

If you read this carefully, you'll see that Negotiate is used and it selects Kerberos as the best option when available.