异常快照 enter image description here 步骤 A=>验证正确的证书配置
我有一个窗口服务,我试图通过它从安全端口 636 (SSL) 连接 LDAP 服务器,所有证书都是正确的 配置好,我已经使用工具 ldap.exe 验证了这一点,还检查了 portqry 工具以检查端口 636 是否正在监听 并且成功地做到了这一点。
STEP B=>Code Snippet Which is not working for secure port 636(For SSL) but working correctly with non secure port (389) A strange observation the Below code works well when i run it as console based application even with port 636 but fails when run as window service.
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
using System.DirectoryServices.Protocols;
using System.IO;
using System.Linq;
using System.Net;
using System.ServiceProcess;
using System.Text;
using System.Threading.Tasks;
namespace SampleLDAPWindowsService
{
public partial class Service1 : ServiceBase
{
public Service1()
{
InitializeComponent();
}
protected override void OnStart(string[] args)
{
TestDirectoryEntryWay();
}
protected override void OnStop()
{
}
}
public DirectoryEntry createDirectoryEntry()
{
// create and return new LDAP connection with desired settings
DirectoryEntry ldapConnection = null;
ldapConnection = new DirectoryEntry("LDAP://abc.domain.com:636", "DomainAdmin", "DomainAdmin123", AuthenticationTypes.SecureSocketsLayer);
return ldapConnection;
}
public void TestDirectoryEntryWay()
{
DirectorySearcher _searcher = null;
SearchResult result_user = null;
DirectoryEntry de = createDirectoryEntry();
try
{
object o = de.SchemaEntry;//Getting a com exception as the SchemaEntry is null not sure why as the same is working properly in port 389
_searcher = new DirectorySearcher(de, "(&(objectClass=user)(SAMAccountName=" + "demouser1" + "))");
if (_searcher != null)
{
result_user = _searcher.FindOne();
}
}
catch (Exception ex)
{
//Getting a com exception
}
}
}
}
STEP C=>在窗口服务的636端口和389端口工作的代码
using System;
using System.Collections.Generic;
using System.ComponentModel;
using System.Data;
using System.Diagnostics;
using System.DirectoryServices;
using System.DirectoryServices.AccountManagement;
using System.DirectoryServices.Protocols;
using System.IO;
using System.Linq;
using System.Net;
using System.ServiceProcess;
using System.Text;
using System.Threading.Tasks;
namespace SampleLDAPWindowsService
{
public partial class Service1 : ServiceBase
{
public Service1()
{
InitializeComponent();
}
protected override void OnStart(string[] args)
{
System.Diagnostics.Debugger.Launch();
// TestDirectoryEntryWay();
var isLogged2 = SignInLDAP2("DomainAdmin", "DomainAdmin123", ""LDAP://abc.domain.com:636"", "abc.domain.com", true);
}
protected override void OnStop()
{
}
public bool SignInLDAP2(string user, string psw, string ldapPath, string domain = null, bool useSSL = false)
{
// LdapConnection ldapConnection = new LdapConnection(ldapPath);
var ldapDirectoryIdentifier = new LdapDirectoryIdentifier("abc.domain.com", 636, true, false);
LdapConnection ldapConnection = new LdapConnection(ldapDirectoryIdentifier);
if (useSSL)
{
ldapConnection.SessionOptions.SecureSocketLayer = true;
ldapConnection.AuthType = AuthType.Negotiate;
ldapConnection.SessionOptions.VerifyServerCertificate += delegate { return true; };
}
//var networkCredential = new NetworkCredential("Hey", "There", "Guy");
var networkCredential = new NetworkCredential(user, psw, domain);
try
{
ldapConnection.Bind(networkCredential);
bool exists = UserExists("demouser1");
return true;
}
catch (Exception ex)
{
return false;
}
}
public bool UserExists(string username)
{
// create your domain context
using (PrincipalContext domain = new PrincipalContext(ContextType.Domain, "abc.domain.com", "DomainAdmin", "DomainAdmin123"))
{
// find the user
UserPrincipal foundUser = UserPrincipal.FindByIdentity(domain, IdentityType.Name, username);
return foundUser != null;
}
}
}
}
}
问题在这里
使用带有 DirectoryEntry 的安全端口时是否存在问题,因为 LdapConnection 和 networkCredential 可以在两个端口(636 和 389)上顺利运行, 我有一个使用 DirectoryEntry 的遗留代码,我希望它也能用于安全端口 还有。
在此先感谢您的所有支持和指导。
最佳答案
您运行此程序的计算机可能不信任 SSL 证书。
我使用 Chrome 对此进行了测试。像这样运行 Chrome(根据您的 Chrome 所在的路径进行调整):
"C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --explicitly-allowed-ports=636
然后在 Chrome 中,转到 https://abc.domain.com:636 .如果证书受信任,您将看到“无法连接”类的消息。但如果它不受信任,Chrome 会给你一个大红色警告,你知道这就是问题所在。
要信任证书,您需要获取根证书(作为文件,可能是 *.cer 或 *.crt)并将其安装在每台将运行您的代码的机器上。以下是在 Windows 中安装根证书的说明:https://www.thewindowsclub.com/manage-trusted-root-certificates-windows
关于c# - DirectoryEntry 在尝试使用安全端口连接 ldap 服务器时出现 com 异常,我们在Stack Overflow上找到一个类似的问题: https://stackoverflow.com/questions/51870866/