Re: ASP.NET and SASL
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Fri, 6 Jan 2006 10:26:17 -0600
The only way to specify specific client certificates is with
System.DirectoryServices.Protocols. When you are using
System.DirectoryServices, the LDAP layer will simply try to find an
appropriate client certificate based on the certificates that the server
says that it trusts during the SSL/LDAP negotiation and send that
certificate.
Typically, the hard part of this is configuring the appropriate process
account so that the certificate is available with the private key. Normally
for ASP.NET apps, you need to add the certificate to the machine store and
make sure the private key is available with the certificate there and that
the account accessing it has rights to read the private key.
Before you even try to do this in a web application, why don't you try to
get it working in a console application first? That way you can install the
certificate into your local store and see if that works.
The only thing you would do from a code perspective is specify
AuthenticationTypes.SecureSocketsLayer in your DirectoryEntry constructor.
I'm not really sure what if anything you should specify for the username and
password though. I've never done client cert auth with LDAP, I've only
discussed it a bit with other experts.
Joe K.
"Amar" <Amar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AD095B6A-976A-48D0-8B64-5449C2D79913@xxxxxxxxxxxxxxxx
> Hi,
> Thank you Joe.
> I am trying to accomplish the following:
> We have a central university LDAP server. My department has a webserver
> with
> IIS6/Windows 2003. We got 2 certificates from the university. One was a
> SSL
> Server certificate and another was a Middleware Client Certificate. My Sys
> Admin installed both these on the Webserver. We checked the box to make
> the
> site SSL encrypted too.
> Now to fetch some important data from the university LDAP server the
> middleware group say that my application (in this case ASP.NET) needs to
> support SSL or TLS with client certificates and should be able to somehow
> perform a SASL EXTERNAL Bind with the LDAP Server. They have posted some
> examples in java, perl, python. Please tell me if you want to read details
> about those ,i can send you the link.
> Our majorissue is:
> My Sys admin and me are doing this client certificate thing for the first
> time. So as per our thinking there has to be some way in the ASP.NET code
> that tells the application to use the particular client certificate (and
> the
> private key in it) while trying to connect to the LDAP server. We are not
> able to figure this out! If you can give us a step by step instructions to
> achieve this we would appreciate it!
>
> Thanks in Advance!
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
>> would need a different tool to write .NET 2.0 code, although you can
>> compile
>> directly with the platform SDK.
>>
>> I say this is not related to ASP.NET as all of the functionality in
>> question
>> is in the System.DirectoryServices assembly and ADSI and Windows LDAP
>> (and
>> other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
>> LDAP, but they aren't really different from other .NET apps that might
>> want
>> to do so except that they have more complicated security scenarios in
>> some
>> cases.
>>
>> If you want to do client certificate authentication with LDAP, this is
>> possible and supposedly works with ADSI (and thus
>> System.DirectoryServices).
>> I've never tested it though. You basically need to configure your
>> DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
>> need to configure the ASP.NET account to have access to the client
>> certificate and private key. The latter is the hard part. Note that you
>> don't control the SASL stuff directly though with this. It is all done
>> at a
>> lower level.
>>
>> What are you specifically trying to accomplish? Do you need to use a
>> special SASL provider with an LDAP bind or what?
>>
>> Joe K.
>>
>> "Amar" <Amar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> news:F210AF1A-7C06-40E4-AB5B-077FAF4CFB51@xxxxxxxxxxxxxxxx
>> > Thanks again Joe.
>> > I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont
>> > know
>> > if it works for .Net 2.0
>> > 1. Why do you say that none of this is related to ASP.NET?
>> > 2. Also, can you give me an example about "client certificate auth via
>> > SASL
>> > external" that you say is supported by System.DirectoryServices
>> > (ADSI-based
>> > LDAP)?
>> > Or point me towards links with the same?
>> > Thank you.
>> >
>> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >
>> >> Have you looked at System.DirectoryServices.Protocols in .NET 2.0?
>> >> All
>> >> LDAP
>> >> bind types supported by wldap32.dll are available there.
>> >>
>> >> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
>> >> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
>> >> certificate auth via SASL external.
>> >>
>> >> None of this is related to ASP.NET at all though.
>> >>
>> >> Joe K.
>> >>
>> >> "Amar" <Amar@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
>> >> news:FC208DCF-7924-4127-98DC-7B9C2BDEC545@xxxxxxxxxxxxxxxx
>> >> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
>> >> > LDAPv3
>> >> > operations necessary to use an authorized Enterprise directory?
>> >> > If yes, the can you please provide me with some example or some
>> >> > useful
>> >> > links?
>> >> > Thanks in Advance!
>> >>
>> >>
>> >>
>>
>>
>>
.
- References:
- Re: ASP.NET and SASL
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ASP.NET and SASL
- From: Joe Kaplan \(MVP - ADSI\)
- Re: ASP.NET and SASL
- From: Amar
- Re: ASP.NET and SASL
- Prev by Date: Re: ASP.NET and SASL
- Next by Date: Re: Deploying .NET security configuration through group policy
- Previous by thread: Re: ASP.NET and SASL
- Next by thread: Re: How to Change MinRequiredNonAlphanumericCharacters in AspNetSqlPro
- Index(es):
Relevant Pages
|
