What is LDAPS?
LDAP stands for Lightweight Directory Access Protocol. It is the protocol used to talk to Active Directory (AD).
Some people confuse to two and refer to AD as LDAP.
LDAPS is the LDAP protocol but with security similar to HTTP and HTTPS. an SSL certificate is used to encrypt the traffic flowing over the wire to the AD server. To get LDAPS to function the AD needs to be configured. A certificate needs to be generated and the secure port to be used needs to be opened on the firewall. LDAPS uses port 636 by default but this can be customized.
Once the AD server has been configured the client machine needs to make sure it receives the certificate. If the AD is on your network and your machine is authorizing against it, all you need to do is to sign out and in again. For machines not directly authorizing against the AD the certificate would need to be imported.
Some code
Below is a simple sample of how to instantiate the class that would be used to query AD.
a = new DirectoryEntry(connectionString, username, password, AuthenticationTypes.SecureSocketsLayer);
b = x.NativeObject;
The server is not operational
When working with C# and the DirectoryEntry it is common to get the following error. The error is encountered not on the instantiating of the class but as soon the class tries to bind to the AD. This error is caused if the DirectoryEntry class is not able to access the AD server using the SSL. Common problems to check.
- Is the port blocked by a firewall?
- Is the certificate on the client machine?
- Make sure the certificate is for the AD server your are trying to connect too.
- Before going further download the LDP utility from Microsoft and check if it can connect.
- If it can connect then it is most likely programming fault or a configuration fault.
- Check the configuration – check if the LDAPS connection string is formed correctly? This is usually where the problem lies.
- Make sure you use the FQDN of the AD server. It is not good enough to use only the machine name or its IP. It has to be the FQDN. Here is an example. LDAP://adserver.subdomain.domain:636
- Make sure you include the Port.
- Check the configuration – check if the LDAPS connection string is formed correctly? This is usually where the problem lies.
I hope this little bit of knowledge saves someone lots of hours of investigation.