search

dotnet / runtime

.NET is a cross-platform runtime for cloud, mobile, desktop, and IoT apps.
https://docs.microsoft.com/dotnet/core/
MIT License
14.95k stars 4.65k forks source link

Trust self-signed certificates when using PrincipalContext and DirectoryEntry #106024

Open nickjmcclure opened 1 month ago

nickjmcclure commented 1 month ago

Problem

I have an application that is running on a server where I don’t have the ability to add certificates to the computer store. This application is performing various actions against Active Directory including searching and updating of properties using PrincipalContext and DirectoryEntry. Active Directory performs certificate renewal based on the internal CA root certificate. The server I'm running from is not a domain member, and it cannot be joined to the domain.

I can’t find where PrincipalContext and DirectoryEntry have any options for trusting certificates not in the computer store.

Question

Is there any way to add a self-signed root certificate to a runtime store that PrincipalContext and DirectoryEntry will honor? I know LdapConnection has a callback option that can be used for this, but it doesn't seem to be available to PrincipalContext or DirectoryEntry

Sample Code

PrincipalContext pc = new(ContextType.Domain, "server.local", null, ContextOptions.Negotiate | ContextOptions.SecureSocketLayer, "someuser", "somepassword");
var user = UserPrincipal.FindByIdentity(pc, IdentityType.SamAccountName, "someotheruser");

returns the following error:

The server could not be contacted.
   at System.DirectoryServices.AccountManagement.PrincipalContext.ReadServerConfig(String serverName, ServerProperties& properties)
   at System.DirectoryServices.AccountManagement.PrincipalContext.DoServerVerifyAndPropRetrieval()
   at System.DirectoryServices.AccountManagement.PrincipalContext..ctor(ContextType contextType, String name, String container, ContextOptions options, String userName, String password)
dotnet-policy-service[bot] commented 1 month ago

Tagging subscribers to this area: @dotnet/area-system-directoryservices, @jay98014 See info in area-owners.md if you want to be subscribed.

ericstj commented 1 month ago

I assume this is on Windows since you mention AccountManagement.

I know S.DS.Protocols has https://learn.microsoft.com/en-us/dotnet/api/system.directoryservices.protocols.ldapsessionoptions.verifyservercertificate?view=net-8.0 which only works on Windows.

I'm not aware of any similar support in other DirectoryServices API but @BRDPM @grubioe @jay98014 may know more as the System.DirectoryServices.AccountManagement owners.

nickjmcclure commented 1 month ago

@ericstj Yes, I'm running this on Windows. I've looked at modifying my process to use LdapConnection so I could take advantage of the callback you reference, and that is an option, just not the preferred one.