Share via

ValidateCredentials results in The server cannot handle directory requests

Joe Green 146 Reputation points
2022-12-07T18:46:29.03+00:00

Hello,

I've an asp.net MVC application running on SSL enabled website. I'm using AD authentication using PrincipalContext. Here is my code and it works fine on IIS server. 

            PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, "xxx.xxx.xxx", DomainContainer);   
   
            bool isAuthenticated = false;   
            UserPrincipal userPrincipal = null;   
            try   
            {   
                isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate);   
                if (isAuthenticated)   
                {   
                    userPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, username);   
                }   
            }   
            catch (Exception)   
            {   
                isAuthenticated = false;   
                userPrincipal = null;   
            }

Now I'm being asked to do this AD authentication securely. So if when I modified my code like this 

            PrincipalContext oPrincipalContext = new PrincipalContext(ContextType.Domain, "xxx.xxx.xxx:636", DomainContainer);   
   
            bool isAuthenticated = false;   
            UserPrincipal userPrincipal = null;   
            try   
            {   
                isAuthenticated = oPrincipalContext.ValidateCredentials(username, password, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer);   
                if (isAuthenticated)   
                {   
                    userPrincipal = UserPrincipal.FindByIdentity(oPrincipalContext, username);   
                }   
            }   
            catch (Exception)   
            {   
                isAuthenticated = false;   
                userPrincipal = null;   
            }

AD authentication is not working. It is throwing exception - System.DirectoryServices.Protocols.DirectoryOperationException: 'The server cannot handle directory requests.'

On IIS, I have tried using NetworkService and ApplicationPoolIdentity as Identities for Application Pool. Any idea what is causing this?

Thanks

Windows development | Internet Information Services
Developer technologies | ASP.NET | Other
0 comments

2 answers

Sort by: Most helpful
Most helpful Newest Oldest
  1. Bruce (SqlWork.com) 77,766 Reputation points Volunteer Moderator
    2022-12-07T21:53:00.2+00:00

    check that the ldap server has a valid ssl certificate and port 636 (ldap + ssl) is open on the web server.

    note: if using self signed certs, you will need to write custom SSL certificate validation code.

    0 comments
  2. Yurong Dai-MSFT 2,846 Reputation points Microsoft External Staff
    2022-12-08T05:20:46.78+00:00

    Hi @Joe Green ,
    Are you using AD LDS? From what I understand the server certificate needs to be associated with the AD instance. If your instance is called "MyAD" (or ActiveDirectoryWebService), you'll need to open the MMC, go to the "Certificates" module, select "Service Accounts" and select "MyAD" from the list. From there you can add the SSL certificate to the "MyAD" personal store, which finally starts the SSL processing. This is a Microsoft official article to troubleshoot LDAP over SSL connection problems, which may be helpful to you.

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the email notification for this thread.

    Best regards,
    Yurong Dai

    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.