Before I start, I've already visited Unknown Error (0x80005000) with LDAPS Connection and changed my code and while it did solve the problem it seems that it has mysteriously come back.
Here's the good stuff:
public static bool Authenticate(string username, string password, string domain)
{
bool authentic = false;
try
{
LdapConnection con = new LdapConnection(
new LdapDirectoryIdentifier(Host, Port));
if (IsSSL)
{
con.SessionOptions.SecureSocketLayer = true;
con.SessionOptions.VerifyServerCertificate = ServerCallback;
}
con.Credential = new NetworkCredential(username, password);
con.AuthType = AuthType.Basic;
con.Bind();
authentic = true;
}
catch (LdapException)
{
return false;
}
catch (DirectoryServicesCOMException)
{ }
return authentic;
}
public static bool IsSSL
{
get
{
return ConnectionString.ToLower().Contains("ldaps");
}
}
public static string ConnectionString
{
get
{
if (string.IsNullOrEmpty(_connectionString))
_connectionString = CompleteConfiguration.GetLDAPConnectionString();
return _connectionString;
}
set { _connectionString = value; }
}
public static int Port
{
get
{
var x = new Uri(ConnectionString);
int port = 0;
if (x.Port != -1)
{
port = x.Port;
}
else
{
port = x.OriginalString.ToLower().Contains("ldaps")
? 636
: 389;
}
return port;
}
}
public static string Host
{
get
{
var x = new Uri(ConnectionString);
return x.Host;
}
}
private static bool ServerCallback(LdapConnection connection, X509Certificate certificate)
{
return true;
}
Here's the bad stuff: When I attempt to authenticate to the application I get the following error, to be precise this is triggered by the con.Bind() line:
[COMException (0x80005000): Unknown error (0x80005000)] System.DirectoryServices.DirectoryEntry.Bind(Boolean throwIfFail) +378094 System.DirectoryServices.DirectoryEntry.Bind() +36 System.DirectoryServices.DirectoryEntry.get_NativeObject() +31 Complete.Authentication.GCAuthentication.Authenticate(String username, String password, String domain) in c:\Builds\6\Idealink.Open.Pancanal\Panama Canal\Sources\Idealink.Open\Complete.Authentication\GCAuthentication.cs:27 Complete.Authentication.AuthenticationFactory.ValidateUserLdap(String username, String password, String domain, Boolean isValid, String usernameWithDomain) in c:\Builds\6\Idealink.Open.Pancanal\Panama Canal\Sources\Idealink.Open\Complete.Authentication\AuthenticationFactory.cs:93
It is quite confusing as it seems that some user accounts work and others don't. However when I place the above code in an isolated test environment it does succeed each and every time regardless of which account I use. When I place it back on the Windows 2008 R2 Server with ASP.NET and IIS it fails as stated above. The failures are consistent though - accounts consistently fail or succeed, from that perspective there is no randomness.
The LDAP Server must be accessed using LDAPS and NOT LDAP which is why we cannot use the DirectoryEntry object - the LDAP server is controlled by a client and therefore cannot be reconfigured or altered in any way. We simply want to capture username/password on a web form and then use BIND on the LDAP server to check credentials.
We are using .NET 3.5 and cannot upgrade at this time so I respectfully ask that if your main suggestion and arguments are to upgrade than please hold off on your contribution.
Thanks, hope you can help
Would something like this work for you..?
const string Domain = "ServerAddress:389";
const string constrParts = @"OU=Users,DC=domain,DC=com";
const string Username = @"karell";
PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, Domain, constrParts);
UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(principalContext, username);
Here is a really good site for great references and examples DirectoryServices DirectoryEntry
for Connection over SSL you could do something like the following
const int ldapInvalidCredentialsError = 0x31;
const string server = "your_domain.com:636";
const string domain = "your_domain.com";
try
{
using (var ldapSSLConn = new LdapConnection(server))
{
var networkCredential = new NetworkCredential(username, password, domain);
ldapSSLConn.SessionOptions.SecureSocketLayer = true;
ldapSSLConn.AuthType = AuthType.Negotiate;
ldapSSLConn.Bind(networkCredential);
}
// If the bind succeeds, the credentials are valid
return true;
}
catch (LdapException ldapEx)
{
// Invalid credentials a specific error code
if (ldapEx.ErrorCode.Equals(ldapInvalidCredentialsError))
{
return false;
}
throw;
}