Invalid credentials connecting to AD/LDS with LdapConnection

I have an instance of AD/LDS running on my machine and I'm trying to connect to it using the System.DirectoryServices.Protocols.LdapConnection class. For some reason every time I call the Bind() method it throws an LdapException complaining about invalid credentials.

Here's the code I'm using to set up the connection:

var ldapDirectoryIdentifier = new LdapDirectoryIdentifier(config.Server.Host, config.Server.Port);

var creds = new NetworkCredential(config.Credentials.Username, config.Credentials.Password)
{
    Domain = config.Credentials.
};

ldapConnection = new LdapConnection(ldapDirectoryIdentifier, creds, AuthType.Basic);

if (config.Server.Secure)
{
    cert = new X509Certificate(config.Server.Certificate);
    ldapConnection.SessionOptions.SecureSocketLayer = true;
    ldapConnection.SessionOptions.VerifyServerCertificate = CheckCertificate;
}

ldapConnection.SessionOptions.ProtocolVersion = 3;

try
{
    ldapConnection.Bind();
}
catch (LdapException e)
{
    Log.LogException(e);
    Environment.Exit(e.ErrorCode);
}

The configuration is coming from an App.config file as in the following example:

<server host="host" port="389"/>
<credentials username="username" password="password" domain="domain"/>
<usersearch base="ou=test,dc=test,dc=com" filter="(middlename=user)" objectclass="inetorgperson"/>
<devicesearch base="ou=test,dc=test,dc=com" filter="(sn=device)" objectclass="inetorgperson"/>

I've tried modifying the credentials part to get it connecting; setting username="DOMAIN\user", with and without the domain entry to credentials. I've tried messing with the connection strings, e.g. <server host="LDAP://host[:389]"/>. It just says the credentials, which I use to connect to the instance with both ADSI Edit and ldp, are invalid.

I CAN connect with the same domain credentials (local user account) using System.DirectoryServices.DirectoryEntry so I suspect it's the AD bit of AD/LDS being picky.

Anyone got any ideas?

2 answers

  • answered 2019-02-12 08:05 N.VIGNE

    It's probably on the session option. Try to force authentication type:

    ldapConnection.AuthType = AuthType.Negotiate;
    

    It may also be the way you handle the certificate. Try to add it this way:

    ldapConnection.ClientCertificates.Add(cert);
    

  • answered 2019-02-12 10:16 Chris Bond

    I went ahead and double checked what AuthTypes were available and setting it to Ntlm works.