0

I have created an ASP.NET website that has to access Active Directory on another server and change users passwords. The problem is that I need to authenticate with existing AD account and I cannot send AD user's password in plaintext when communicating with the Active Directory server. How do I communicate with AD server from ASP.NET website, so that connection is secure? My AD server supports LDAP protocol, but I do not know how to enforce communication with LDAP via a secure channel.

ASP.NET Website --------------LDAP/another protocol (secure)------------> AD Server

Jonas Hoffmann
  • 315
  • 7
  • 19

1 Answers1

1

Fairly simple, you need to do two things :

  • Configure your Active Directory instance to accept connections over LDAPS, or port 636. You'll need a certificate (it can be self-signed) to set that up.
  • Update your LDAP authorization code to use this the new connection. This shouldn't be anything more than changing the server to "ldaps://{{IP OR DNS}}", and ensuring you're setting SessionOptions.SecureSocketLayer = true;

If you want to verify that it's working properly, Wireshark the traffic leaving your ASP.Net site that's going over port 636, and you should notice it's now heavily encrypted, and impossible to discern anything meaningful from.

I've done a ton of this stuff over the years, so I've had a few other questions surrounding this that should also help you out :

Set callback for System.DirectoryServices.DirectoryEntry to handle self-signed SSL certificate? (This contains a full implementation of LDAPS)

Custom Multi-factor Active Directory Authentication (This is a much more simple example, but would work perfectly fine for your purposes)

Community
  • 1
  • 1
X3074861X
  • 3,709
  • 5
  • 32
  • 45
  • 1
    No problem, let me know if you have any other questions. – X3074861X Mar 19 '15 at 19:01
  • Just a short one. Is it possible to register an AD user that can only change other people' passwords? Nothing else. – Jonas Hoffmann Mar 19 '15 at 19:02
  • 1
    Yes, absolutely. You need to assign the `Change Password` permission to the user, and also assign which groups, that user would have the ability to change passwords for. This is typically done through the Delegation of Control Wizard. I could go into more detail but there are a ton of articles out there on the exact steps : http://www.howtogeek.com/50166/using-the-delegation-of-control-wizard-to-assign-permissions-in-server-2008/ http://www.windowsecurity.com/articles-tutorials/authentication_and_encryption/Implementing-Active-Directory-Delegation-Administration.html – X3074861X Mar 19 '15 at 19:27
  • Cool! Thank you again! I will try it out tomorrow and write you if there is something else I need to know :) – Jonas Hoffmann Mar 19 '15 at 22:11