locked
Unable to establish secure connection with the server , when using LDAP RRS feed

  • Question

  • User-540818677 posted

    I am working on an asp.net mvc web application , and i have added the folloiwng provider to my asp.net web.config file, to be able to authnticate users against a remote AD that belong to different domian:-

    <system.web>
        <membership>
          <providers>
            <add name="TestDomain1ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,Version=4.0.0.0" connectionStringName="TestDomain1ConnectionString" connectionUsername="******\******" connectionPassword="******" />
    
          </providers>
        </membership>
    <add name="TestDomain1ConnectionString" connectionString="LDAP://***.***.***.***.******.***/CN=***,DC=******,DC=******" />

    but when the users try to access the application and they enter username and password , this will raise the folloiwng exception :-

    System.Configuration.ConfigurationErrorsException was unhandled by user code
      HResult=-2146232062
      Message=Unable to establish secure connection with the server (C:\Users\john.john\Desktop\test login\TMS\TMS\web.config line 39)
      Source=System.Web
      BareMessage=Unable to establish secure connection with the server
      Filename=C:\Users\john.john\Desktop\test login\TMS\TMS\web.config
      Line=39
      StackTrace:
           at System.Web.Security.Membership.Initialize()
           at System.Web.Security.Membership.get_Providers()
      InnerException: System.Configuration.Provider.ProviderException
           HResult=-2146233088
           Message=Unable to establish secure connection with the server
           Source=System.Web
           StackTrace:
                at System.Web.Security.DirectoryInformation..ctor(String adspath, NetworkCredential credentials, String connProtection, Int32 clientSearchTimeout, Int32 serverSearchTimeout, Boolean enablePasswordReset)
                at System.Web.Security.ActiveDirectoryMembershipProvider.Initialize(String name, NameValueCollection config)
                at System.Web.Configuration.ProvidersHelper.InstantiateProvider(ProviderSettings providerSettings, Type providerType)
           InnerException: System.Runtime.InteropServices.COMException
                HResult=-2147016646
                Message=The server is not operational.
    
                Source=System.DirectoryServices
                ErrorCode=-2147016646
                StackTrace:
                     at System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail)
                     at System.DirectoryServices.DirectoryEntry.Bind()
                     at System.DirectoryServices.DirectoryEntry.RefreshCache()
                     at System.Web.Security.DirectoryInformation..ctor(String adspath, NetworkCredential credentials, String connProtection, Int32 clientSearchTimeout, Int32 serverSearchTimeout, Boolean enablePasswordReset)
                InnerException: 

    So what might be the problem?

    second question;  is it right to include the AD server IP address insde the connection string as i am doing ?

    Sunday, January 19, 2014 10:08 PM

Answers

  • User1508394307 posted

    is it right to include the AD server IP address insde the connection string

    I think it is the reason of the issue.

    The connection string has either format of "LDAP://domain.com" or "LDAP"://dc.domain.com", or "LDAP://xxx.xxx.xxx.xxx". Contact your IT guys to verify the string or use some tools, like LDAP Browser where you can check connection string as well as credentials and many more.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 20, 2014 2:13 AM
  • User1508394307 posted

    The ActiveDirectoryMembershipProvider class does not explicitly check that provider attributes are not mapped to core attributes of the user object in the directory. You must ensure that sensitive information from the directory is not exposed through mapped attributes. 

    Username is either userPrincipalName (which is default) or sAMAccountName

    http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx 

    Also take a look here if you have further issues with ValidateUser

    http://msdn.microsoft.com/en-us/library/ff648345.aspx 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 20, 2014 2:00 PM
  • User-1454326058 posted

    Hi johnjohn,

    are you saying that my current connection string can expose sensitive data and it is not the right way to provide a connection string

    No, it won’t expose the sensitive data to others who has not your project.

    You should encryption the sensitive data (e.g. connectionstring) if others can get your project.

    About encrypting configuration information, please refer to:

     # Encrypting Configuration Information Using Protected Configuration

    http://msdn.microsoft.com/library/dtkwfdky.aspx

    What I mean is we can specify the specific information of dll files which are used to check these files during the runtime.

    As we know, the dll files can be decompiled via some tools, such as Reflector. So, if you create a library project and reference that dll file to your project. Then others can decompiled that dll and modify the code. After that, he can replace the original dll file with the modified dll file. If you added the strong name to your dll, the application won’t works if the modified dll file with different or without the strong name.

    Thanks

    Best Regards  

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, January 22, 2014 8:59 PM

All replies

  • User1508394307 posted

    is it right to include the AD server IP address insde the connection string

    I think it is the reason of the issue.

    The connection string has either format of "LDAP://domain.com" or "LDAP"://dc.domain.com", or "LDAP://xxx.xxx.xxx.xxx". Contact your IT guys to verify the string or use some tools, like LDAP Browser where you can check connection string as well as credentials and many more.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 20, 2014 2:13 AM
  • User-540818677 posted

    smirnov

    I think it is the reason of the issue.

    The connection string has either format of "LDAP://domain.com" or "LDAP"://dc.domain.com", or "LDAP://xxx.xxx.xxx.xxx". Contact your IT guys to verify the string or use some tools, like LDAP Browser where you can check connection string as well as credentials and many more.

    Thanks a lot i chnaged my setting to be:-

    <system.web>
        <trust level="Full" originUrl="" />
        <membership>
          <providers>
            <add name="TestDomain1ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider,System.Web, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a,Version=4.0.0.0" connectionStringName="TestDomain1ConnectionString" connectionUsername="******" connectionPassword="******" />
    
          </providers>
        </membership>

    and

    <add name="TestDomain1ConnectionString" connectionString="LDAP://******.******,DC=******" />

    but currently the following check (if(domainProvider.ValidateUser(model.UserName, model.Password)) inside the Account controller action method, will return "The user name or password provided is incorrect":-

     [HttpPost]
            [AllowAnonymous]
            [ValidateAntiForgeryToken]
            public ActionResult Login(LoginModel model, string returnUrl)
            {
    
    
                MembershipProvider domainProvider;
    
                domainProvider = Membership.Providers["TestDomain1ADMembershipProvider"];
    
    
                // Validate the user with the membership system.
                if (domainProvider.ValidateUser(model.UserName, model.Password))
                {
    //code goes here
     }
                else
                {
                 
                    ModelState.AddModelError("", "The user name or password provided is incorrect.");
                    return View(model);
                }

    can you adivce why the validatino will always fail ?

    Thanks

    Monday, January 20, 2014 5:38 AM
  • User1508394307 posted

    1) Did you try to use 

    connectionUsername="domain\******" 

    in the provider string? According to examples at http://msdn.microsoft.com/en-us/library/ff650307.aspx it must be with domain name.

    Also, note that in 

    connectionString="LDAP://******/OU=***,DC=domain,DC=******" 

    you have a typo.

    2) It might be that you need to supply username in the format of user@domain

    See this thread http://forums.asp.net/t/1475699.aspx?How+to+create+a+flipcart+like+panel+for+showing+products+in+gridview 

    Monday, January 20, 2014 6:19 AM
  • User-540818677 posted

    smirnov

    1) Did you try to use 

    connectionUsername="domain\******" 

    in the provider string? According to examples at http://msdn.microsoft.com/en-us/library/ff650307.aspx it must be with domain name.

    Also, note that in 

    connectionString="LDAP://ad-=domain,DC=******" 

    you have a typo.

    2) It might be that you need to supply username in the format of user@domain

    See this thread http://forums.asp.net/t/1475699.aspx?How+to+create+a+flipcart+like+panel+for+showing+products+in+gridview 

    not sure why my previouse settings did not work, but i have updated my web.config as follow; mainly i added attributeMapUsername="sAMAccountName" & i removed the version and public key token as follow:-

    <membership>
          <providers>
            <add name="TestDomain1ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="TestDomain1ConnectionString" connectionUsername="...." connectionPassword="....." attributeMapUsername="sAMAccountName"/>
                
    
    //code goes here
    
    <connectionStrings>
    
        <add name="TestDomain1ConnectionString" connectionString="LDAP://******/OU=***,DC=******,DC=******" />

    and now i can connect to AD succsfully ? but i do not know exactly why .

    Monday, January 20, 2014 12:39 PM
  • User1508394307 posted

    The ActiveDirectoryMembershipProvider class does not explicitly check that provider attributes are not mapped to core attributes of the user object in the directory. You must ensure that sensitive information from the directory is not exposed through mapped attributes. 

    Username is either userPrincipalName (which is default) or sAMAccountName

    http://msdn.microsoft.com/en-us/library/system.web.security.activedirectorymembershipprovider.aspx 

    Also take a look here if you have further issues with ValidateUser

    http://msdn.microsoft.com/en-us/library/ff648345.aspx 

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Monday, January 20, 2014 2:00 PM
  • User-540818677 posted

     You must ensure that sensitive information from the directory is not exposed through mapped attributes. 

    Username is either userPrincipalName (which is default) or sAMAccountName

    so do u mean that my current apprach is not secure ? can you advice please?

    Monday, January 20, 2014 7:39 PM
  • User-1454326058 posted

    Hi johnjohn,

    johnjohn123123

    so do u mean that my current apprach is not secure ? can you advice please?

    In my opinion, others can replace the original dll and run the application correctly if we don’t specify more information to verify it, such as the Token Key.

    There is a link about strong name that may benefit you:

    # Strong-Named Assemblies

    http://msdn.microsoft.com/en-us/library/wd40t7ad(v=vs.110).aspx

    Thanks

    Best Regards  

    Tuesday, January 21, 2014 9:46 PM
  • User-540818677 posted

    Starain chen - MSFT

    In my opinion, others can replace the original dll and run the application correctly if we don’t specify more information to verify it, such as the Token Key.

    thanks for the reply, can you please explain this in more details, are you saying that my current connection string can expose sensitive data and it is not the right way to provide a connection string , which is :-

    <membership>
          <providers>
            <add name="TestDomain1ADMembershipProvider" type="System.Web.Security.ActiveDirectoryMembershipProvider" connectionStringName="TestDomain1ConnectionString" connectionUsername="...." connectionPassword="....." attributeMapUsername="sAMAccountName"/>
                
    
    //code goes here
    
    <connectionStrings>
    
        <add name="TestDomain1ConnectionString" connectionString="LDAP://******/OU=***,DC=******,DC=******" />

    Wednesday, January 22, 2014 5:28 AM
  • User-1454326058 posted

    Hi johnjohn,

    are you saying that my current connection string can expose sensitive data and it is not the right way to provide a connection string

    No, it won’t expose the sensitive data to others who has not your project.

    You should encryption the sensitive data (e.g. connectionstring) if others can get your project.

    About encrypting configuration information, please refer to:

     # Encrypting Configuration Information Using Protected Configuration

    http://msdn.microsoft.com/library/dtkwfdky.aspx

    What I mean is we can specify the specific information of dll files which are used to check these files during the runtime.

    As we know, the dll files can be decompiled via some tools, such as Reflector. So, if you create a library project and reference that dll file to your project. Then others can decompiled that dll and modify the code. After that, he can replace the original dll file with the modified dll file. If you added the strong name to your dll, the application won’t works if the modified dll file with different or without the strong name.

    Thanks

    Best Regards  

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, January 22, 2014 8:59 PM