c# - DirectoryEntry 在尝试使用安全端口连接 ldap 服务器时出现 com 异常

Question

异常快照 enter image description here 步骤 A=>验证正确的证书配置

我有一个窗口服务，我试图通过它从安全端口 636 (SSL) 连接 LDAP 服务器，所有证书都是正确的 配置好，我已经使用工具 ldap.exe 验证了这一点，还检查了 portqry 工具以检查端口 636 是否正在监听 并且成功地做到了这一点。

STEP B=>Code Snippet Which is not working for secure port 636(For SSL) but working correctly with non secure port (389) A strange observation the Below code works well when i run it as console based application even with port 636 but fails when run as window service.

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
using System.DirectoryServices.Protocols;
using System.IO;
using System.Linq;
using System.Net;
using System.ServiceProcess;
using System.Text;
using System.Threading.Tasks;

namespace SampleLDAPWindowsService
{
    public partial class Service1 : ServiceBase
    {
        public Service1()
        {
            InitializeComponent();
        }

        protected override void OnStart(string[] args)
        {

            TestDirectoryEntryWay();

        }

        protected override void OnStop()
        {


        }

        }
        public DirectoryEntry createDirectoryEntry()
        {
            // create and return new LDAP connection with desired settings  
            DirectoryEntry ldapConnection = null;
            ldapConnection = new DirectoryEntry("LDAP://abc.domain.com:636", "DomainAdmin", "DomainAdmin123", AuthenticationTypes.SecureSocketsLayer);
            return ldapConnection;
        }

        public void TestDirectoryEntryWay()
        {
            DirectorySearcher _searcher = null;
            SearchResult result_user = null;
            DirectoryEntry de = createDirectoryEntry();
            try
            {
                object o = de.SchemaEntry;//Getting a com exception  as the SchemaEntry is null not sure why as the same is working properly in port 389 
                _searcher = new DirectorySearcher(de, "(&(objectClass=user)(SAMAccountName=" + "demouser1" + "))");
                if (_searcher != null)
                {
                    result_user = _searcher.FindOne();

                }
            }
            catch (Exception ex)
            {
                //Getting a com exception 

            }

        }
    }
}

STEP C=>在窗口服务的636端口和389端口工作的代码

using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
using System.DirectoryServices.Protocols;
using System.IO;
using System.Linq;
using System.Net;
using System.ServiceProcess;
using System.Text;
using System.Threading.Tasks;

namespace SampleLDAPWindowsService
{
    public partial class Service1 : ServiceBase
    {
        public Service1()
        {
            InitializeComponent();
        }

        protected override void OnStart(string[] args)
        {
            System.Diagnostics.Debugger.Launch();
            // TestDirectoryEntryWay();
            var isLogged2 = SignInLDAP2("DomainAdmin", "DomainAdmin123", ""LDAP://abc.domain.com:636"", "abc.domain.com", true);
        }

        protected override void OnStop()
        {


        }

        public  bool SignInLDAP2(string user, string psw, string ldapPath, string domain = null, bool useSSL = false)
        {
            // LdapConnection ldapConnection = new LdapConnection(ldapPath);

            var ldapDirectoryIdentifier = new LdapDirectoryIdentifier("abc.domain.com", 636, true, false);
            LdapConnection ldapConnection = new LdapConnection(ldapDirectoryIdentifier);

            if (useSSL)
            {
                ldapConnection.SessionOptions.SecureSocketLayer = true;

                ldapConnection.AuthType = AuthType.Negotiate;

                ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
            }

            //var networkCredential = new NetworkCredential("Hey", "There", "Guy");
            var networkCredential = new NetworkCredential(user, psw, domain);
            try
            {
                ldapConnection.Bind(networkCredential);

                bool exists = UserExists("demouser1");
                return true;
            }
            catch (Exception ex)
            {
                return false;
            }
        }
        public bool UserExists(string username)
        {
            // create your domain context
            using (PrincipalContext domain = new PrincipalContext(ContextType.Domain, "abc.domain.com", "DomainAdmin", "DomainAdmin123"))
            {
                // find the user
                UserPrincipal foundUser = UserPrincipal.FindByIdentity(domain, IdentityType.Name, username);

                return foundUser != null;
            }
        }



        }
    }
}

问题在这里

使用带有 DirectoryEntry 的安全端口时是否存在问题，因为 LdapConnection 和 networkCredential 可以在两个端口(636 和 389)上顺利运行， 我有一个使用 DirectoryEntry 的遗留代码，我希望它也能用于安全端口 还有。

在此先感谢您的所有支持和指导。

Answer 1

您运行此程序的计算机可能不信任 SSL 证书。

我使用 Chrome 对此进行了测试。像这样运行 Chrome(根据您的 Chrome 所在的路径进行调整):

"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --explicitly-allowed-ports=636

然后在 Chrome 中，转到 https://abc.domain.com:636 .如果证书受信任，您将看到“无法连接”类的消息。但如果它不受信任，Chrome 会给你一个大红色警告，你知道这就是问题所在。

要信任证书，您需要获取根证书(作为文件，可能是 *.cer 或 *.crt)并将其安装在每台将运行您的代码的机器上。以下是在 Windows 中安装根证书的说明:https://www.thewindowsclub.com/manage-trusted-root-certificates-windows