If your callback function actually gets called, that means the server
itself
can do an SSL handshake. If you want to find out why the default
verification fails, I think it is easier to write a small piece of code
using .NET SslStream so you can get the full certificate chain provided by
the server and get the failure code. The most likely problems are:
- name mismatch between the subject name in the cert and the DNS name
used
to establish the connection
- server's full certificate chain is not trusted by the client
- server's certificate is expired
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"nelsonad" <nelsonad@[EMAIL PROTECTED]
> wrote in message
news:8DD09D3A-50AF-4BE0-87AF-029A114DC211@[EMAIL PROTECTED]
> That makes sense, I just dont know how to work with certificates i
guess.
> But
> hopefully our customers trying to integrate LDAP authentication with our
> application will....I guess I need to provide configuration options for
> using
> SSL, the LDAP Search Root, and the Server Context
>
> My authentication code is as follows: using S.DS.P objects
>
> LdapConnection con = new LdapConnection(new
> LdapDirectoryIdentifier(this.SearchRoot), new
> System.Net.NetworkCredential(string.Empty, string.Empty),
AuthType.Basic);
> con.SessionOptions.SecureSocketLayer = this.UseSSL;
> using (con)
> {
> con.Bind();
> SearchRequest request = new SearchRequest("o=" + this.Context,
> "(uid="
> + this.tbUserName.Text + ")",
> System.DirectoryServices.Protocols.SearchScope.Subtree);
>
> SearchResponse response = (SearchResponse)con.SendRequest(request);
> SearchResultEntry entry = response.Entries[0];
> string dn = entry.DistinguishedName;
> con.Credential = new NetworkCredential(dn, this.tbPassword.Text);
> con.Bind();
> }
>
> in local testing i also have a line
> con.SessionOptions.VerifyServerCertificate = new
> VerifyServerCertificateCallback(ServerCallback);
>
> which simply returns true because i cant seem to get my certificates
> validated.
>
>
> "Lance R" wrote:
>
>> On Aug 6, 1:23 pm, nelsonad <nelso...@[EMAIL PROTECTED]
>
>> wrote:
>> > I figured out that i was using the wrong value for ldap-server...i
had
>> > been
>> > trying servername-nds but it should just be servername, so then i ran
>> > the
>> > query and got an exception of: server certificate verification
failed.
>> > Connection aborted.
>>
>> Yep, I can help with this.
>>
>> In order to be the most secure, the component can't just accept any
>> old SSL certificate unless one of the following is true:
>>
>> 1. The server machine automatically trusts it (the cert issuers
>> public key is installed in the trusted root certificate store)
>>
>> 2. You tell it to accept it by setting the SSLAcceptServerCert
>> property before attempting to connect. If initially you don't have
>> such a setting, the component will provide the server certificate to
>> you for your inspection in the SSLServerCert property when you attempt
>> to bind. If you trust this certificate, you can then set the
>> SSLAcceptServerCert to this same certificate before making future
>> requests.
>>
>> 3. If you're using the SSLServerAuthentication event, you can inspect
>> the server certificate right there, and set the Accept parameter to
>> true to go ahead and accept the certificate and continue with the
>> connection.
>>
>> Lance
>> http://www.lancerobinson.net/
>>
>>
|
