none
X500DistinguishedName Exception - The string contains an invalid X500 name attribute key, oid, value or delimiter string RRS feed

  • Question

  • We recently reorganized our LDAP directory and started identifying users (by DN) with uid=, as in:

    uid=first.lastname, ou=users, o=ourorganization

    This is a huge project with tens of thousands of users and high visibility. We instantiate System.Security.Cryptography.X509Certificates.X500DistinguishedName objects in our code in many places. In the past, our DN's used cn= as in:

    cn=first.lastname, ou=users, o=ourorganization

    Now the instantiation of the X500DistinguishedName is failing with the exception in the title of this forum entry.

    I have isolated it to the fact that the DN now starts with uid=. This is perfectly legitimate, and in fact, Microsoft's site specifies that in some places. I suspect the .net api is filtering on what it considers to be valid RDN identifiers and it does not include UID as one of them. I've created a test case, and all the typical ones work, just not uid.

    Code example:

    X500DistinguishedName xdn = new X500DistinguishedName("uid=first.last, ou=users, o=ourorg");

    Edit: (by the way, why can't I paste into this window?)

    Another developer used reflector to determine that the X500DistinguishedName constructor calls crypt32.dll CertStrToName function, which is returning the exception. The documentation on CertStrToName clearly does not include UID in the list of possible keys. We feel this is a bug/fault/deficiency of .net since UID is clearly a legitimate RDN key.

    


    Thursday, June 18, 2015 4:13 PM

Answers

  • Hello Daren Stonesifer,

    >> The documentation on CertStrToName clearly does not include UID in the list of possible keys. We feel this is a bug/fault/deficiency of .net since UID is clearly a legitimate RDN key.

    It is not sure why the UID attribute is not included in the list, for this issue, I suggest you could ask it to the windows desktop security forum:

    https://social.msdn.microsoft.com/Forums/windowsdesktop/en-US/home?forum=windowssecurity

    To confirm if there is any reason excluding the UID, the forum you posted to is for .NET api, however, as we can see, the exception seems to a limit of windows api.

    Regards.


    We are trying to better understand customer views on social support experience, so your participation in this interview project would be greatly appreciated if you have time. Thanks for helping make community forums a great place.
    Click HERE to participate the survey.

    Friday, June 19, 2015 6:52 AM
    Moderator