All geek questions in one place

Connect to LDAP using C # and TLSv1.2

I want to query ActiveDirectory using LDAP through TLSv1.2 and the .NET Framework 4.5.2 or 4.6.2 (but you have problems with both). The problem is that he continues to try to use TLSv1.0, although I use "ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12".

Is "System.DirectoryServices.Protocols" a package that I can use to query LDAP through TLSv1.2? If so, what is the way to enable this version of TLS?

Ultimately, I want to do this using the Web API 2 controller, but as a simple test that reproduces this problem, I have the following console application:

using System;
using System.Diagnostics;
using System.DirectoryServices.Protocols;
using System.Net;

namespace Ldap
{
  class Program
  {
    private const string ldapHost = "169.254.212.120";
    private const int ldapPort = 30389; // normally just 389
    private const int ldapSslPort = 30636; // normally just 636
    private const bool sslEnabled = true;
    private const string userBaseDistinguishedName = "dc=example,dc=org";
    private const string bindUserCommonName = "admin";
    private const string bindUserDistinguishedName = "cn=admin,dc=example,dc=org";
    private const string bindUserPassword = "admin";

    static void Main(string[] args)
    {
        ServicePointManager.SecurityProtocol = SecurityProtocolType.Tls12;

        using (LdapConnection connection = CreateConnection())
        {
            try
            {
                connection.Bind();
            }
            catch (Exception e)
            {
                Debug.WriteLine(e.Message);
            }
        }
    }

    private static LdapConnection CreateConnection()
    {
        var directoryIdentifier = new LdapDirectoryIdentifier(ldapHost,
            sslEnabled ? ldapSslPort : ldapPort, true, false);

        var credential = new NetworkCredential(bindUserDistinguishedName, bindUserPassword);

        var conn = new LdapConnection(directoryIdentifier, credential, AuthType.Basic);

        conn.SessionOptions.SecureSocketLayer = sslEnabled;
        conn.SessionOptions.ProtocolVersion = 3; // Use LDAPv3 (otherwise it appears to default to LDAPv2)

        return conn;
    }
  }
}

OpenLdap ( 30389 30636, ), ActiveDirectory.

LDAP, (Docker 17.06 CE):

docker run --name test_ldap -p 0.0.0.0:30636:636 -p 0.0.0.0:30389:389 --env LDAP_TLS_CIPHER_SUITE="SECURE256:+SECURE128:-VERS-TLS-ALL:+VERS-TLS1.2:-RSA:-DHE-DSS:-CAMELLIA-128-CBC:-CAMELLIA-256-CBC" --env LDAP_TLS_VERIFY_CLIENT="allow" --hostname example.org --detach osixia/openldap:1.1.7

Wireshark: , Wireshark, , "" " Hello" - "TLS 1.0 (0x0301)".

LDAP :

59810624 conn=1002 fd=16 ACCEPT from IP=172.17.0.1:44606 (IP=0.0.0.0:636)
TLS: can't accept: An unknown public key algorithm was encountered..
59810624 conn=1002 fd=16 closed (TLS negotiation failure)
+4
1

, TLS 1.2; PowerShell script :

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'Enabled' -value '1' -PropertyType 'DWord' -Force | Out-Null
New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client' -name 'DisabledByDefault' -value 0 -PropertyType 'DWord' -Force | Out-Null

: https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/operations/manage-ssl-protocols-in-ad-fs

0

Source: https://habr.com/ru/post/1682880/

More articles:


All Articles