none
How to make LDAP SSL call using DsBrowseForContainerW API

    Question

  • Hi, 

    I am using DsBrowseForContainerW( ) to load all container (OUs ) from given domain.

     Internally Its using LDAP Non SSL call to read data from domain controller. But I want to use LDAP SSL communication to read data  from Domain Controllers.

    How can I achieve this?

    case-1 : ADsPath  = "LDAP://Domain100.Lab/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

    case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:389/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls

    case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab"   NOT working fine 

    LDAP Non SSL port = 389

    LDAP SSL Port = 636

    Code :

    DSBrowseInfo dsbi = new DSBrowseInfo();
    dsbi.cbStruct = System.Runtime.InteropServices.Marshal.SizeOf(dsbi);
    dsbi.pszCaption = caption;
    dsbi.pszTitle = title;
    dsbi.pszRoot =  ldapPath;
    dsbi.pszPath = sResult;
    dsbi.cchPath = 1024;
    dsbi.hwndOwner = hwnd;

    if (user != null && user.Length > 0)
    {
    dsbi.pUserName = user;
    dsbi.pPassword = password;
    dsbi.dwFlags |= DSBI_HASCREDENTIALS;
    }
    int ret = DsBrowseForContainerW(ref dsbi);

    In case-3, its giving error as unable to connect to domain with given user name and password.

    Please help me to solve the issue. How can achieve LDAP SSL communication by using DsBrowseForContainerW() api.

    Thanks & Regards

    Prasad


    • Edited by R Pd Monday, May 27, 2019 5:54 AM
    Friday, May 24, 2019 3:12 PM

All replies

  • Hi,

    I had done some research about it, and find some links about this ,hope will be helpful to you .

    For your reference:

    https://docs.microsoft.com/en-us/windows/desktop/api/dsclient/nf-dsclient-dsbrowseforcontainerw

    https://docs.microsoft.com/en-us/windows/desktop/api/dsclient/ns-dsclient-dsbrowseinfow

    Best Regards,

    Fan


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, May 27, 2019 7:53 AM
  • I have already  gone through this documents. But not found any option to pass flag for LDAP SSL communication. In ADsPath , I am trying to pass LDAP SSL port 636, but its not working as I have mentioned in problem description.

    Regards 

    Prasad

     
    Monday, May 27, 2019 9:28 AM
  • Hi,

    For Setup LDAPS (LDAP over SSL), I found some useful information, hope it will be helpful for you <o:p></o:p>

    https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/<o:p></o:p>

    Best Regards,<o:p></o:p>

    Fan<o:p></o:p>


    Please remember to mark the replies as an answers if they help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, May 29, 2019 6:31 AM
  • I don't want the  LDAPS (LDAP over SSL) set up information.  We have correct  LDAPS (LDAP over SSL) setup. All  ADSI api are working fine with SSL and Non SSL  in our environment. 

    But I want use to  DsBrowseForContainerW with LDAPS (LDAP over SSL). 

    Does this API DsBrowseForContainerW  supporting LDAP over SSL?

    Thanks & Regards 

    Prasad

    Thursday, May 30, 2019 8:17 AM
  • Hello Prasad,

    I hope that you know that most (all?) LDAP traffic is encrypted by Simple Authentication and Security Layer (SASL) mechanisms in typical Windows scenarios (actually it is both sealed and signed), so use of LDAPS is not really necessary.

    If you want to do it however, you need to understand the implications of the components of the URL that you use.

    LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab means engage in the normal LDAP protocol with the LDAP server listening for normal LDAP traffic at port 636 (normally the LDAP server is not expecting plain LDAP traffic on this port).

    LDAPS://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab means engage in the communications necessary to establish an SSL/TLS channel to the LDAP server and then engage in the LDAP protocol within the channel. The port number here is OK but unnecessary since port 636 is the default port for the LDAPS scheme.

    Gary

    Thursday, May 30, 2019 8:49 AM
  • Hi Gary, 

    I want to call the DsBrowseForContainerW  API  and internally this API should used LDAPS (LDAP over SSL).  I don't want to use SASL mechanism. 

    Since, the input structure DSBrowseInfo not accepting any flags to enable the SSL communication. So, I am trying to pass LDAPS port (636) ADsPath,  But it does not solve my issue. 

    case-1 : ADsPath  = "LDAP://Domain100.Lab/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls(SASL)

    case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:389/DC=Domain100,DC=Lab"   working fine and LDAP Non SSL calls ( SASL)

    case-2 : ADsPath  = "LDAP://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab"   NOT working 

    Does this API DsBrowseForContainerW  support LDAPS (LDAP over SSL)?

    Thank & Regards 

    Prasad


    • Edited by R Pd Thursday, May 30, 2019 11:19 AM
    Thursday, May 30, 2019 11:18 AM
  • Hello Prasad,

    Just add that all import "S" to the scheme and try LDAPS://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab

    Gary

    Thursday, May 30, 2019 11:25 AM
  • Hello Gary, 

    I think we can't create ADsPath like this .. LDAPS://dc12.Domain100.Lab:636/DC=Domain100,DC=Lab

    I have tried but no luck...

    Regards 

    Prasad

    Thursday, May 30, 2019 3:28 PM
  • Hello Prasad,

    What value does DsBrowseForContainerW return when using the LDAPS:// URL?

    Gary

    Thursday, May 30, 2019 4:00 PM
  • Hello Gary,

    The DsBrowseForContainerW return  -1 when using the LDAPS:// URL. 

    DsBrowseForContainerW  should  display a dialog Box to select the containers

    Regards 

    Prasad

    Thursday, May 30, 2019 4:25 PM
  • Hello Prasad,

    Sorry, I was wrong. Here is a stack trace of the point that things start to go wrong with my assertion about the scheme value:

    Child-SP          RetAddr           Call Site
    00000000`0099e478 00007ffc`73da15bf ACTIVEDS!ADsOpenObject
    00000000`0099e480 00007ffc`73da2960 dsuiext!CBrowseDlg::_OpenObject+0x5b
    00000000`0099e4d0 00007ffc`73da34a1 dsuiext!CBrowseDlg::_OnInitDlg+0x1f4
    00000000`0099e5d0 00007ffc`a8fde9cf dsuiext!CBrowseDlg::s_DlgProc+0x61
    00000000`0099e610 00007ffc`a8fd7d62 USER32!UserCallDlgProcCheckWow+0x197
    00000000`0099e6f0 00007ffc`a8fd7c76 USER32!DefDlgProcWorker+0xd2
    00000000`0099e7b0 00007ffc`a8fdca66 USER32!DefDlgProcW+0x36
    00000000`0099e7f0 00007ffc`a8fdc0b8 USER32!UserCallWinProcCheckWow+0x266
    00000000`0099e970 00007ffc`a8fdfa5e USER32!SendMessageWorker+0x218
    00000000`0099ea10 00007ffc`a8fff61a USER32!InternalCreateDialog+0xa2e
    00000000`0099ebf0 00007ffc`a8fff4f2 USER32!InternalDialogBox+0x106
    00000000`0099ec50 00007ffc`a8fff455 USER32!DialogBoxIndirectParamAorW+0x52
    00000000`0099ec90 00007ffc`73da1102 USER32!DialogBoxParamW+0x75
    00000000`0099ecd0 00007ffc`33ce0893 dsuiext!DsBrowseForContainerW+0xd2

    ADsOpenObject fails with error E_ADS_BAD_PATHNAME.

    ADsOpenObject is defined thus:

    HRESULT ADsOpenObject(
      LPCWSTR lpszPathName,
      LPCWSTR lpszUserName,
      LPCWSTR lpszPassword,
      DWORD   dwReserved,
      REFIID  riid,
      void    **ppObject
    )
    ;

    dwReserved

    Type: DWORD

    Provider-specific authentication flags used to define the binding options. For more information, see ADS_AUTHENTICATION_ENUM.

    So the way to use LDAPS via ADsOpenObject is to set ADS_USE_SSL in its dwReserved argument, but there is no (obvious) way of pushing this flag through from the DsBrowseForContainerW API.

    The dwReserved value that is passed with your invocation values is 0xC5: ADS_USE_SEALING | ADS_USE_SIGNING | ADS_READONLY_SERVER | ADS_SECURE_AUTHENTICATION (encryption and integrity is ensured but via SASL rather than SSL/TLS).

    I will investigate a little bit further, but be prepared that what you want might not be possible.

    Gary



    Thursday, May 30, 2019 7:18 PM
  • Hello Prasad,

    I used the debugger to change the argument to ADsOpenObject from 0xC5 to 0x2 (ADS_USE_SSL) and that seems to allow the dialog to function over LDAPS (port 636):

    Unless someone else can suggest how to make this work, I think that we can assume that it is not supported.

    Gary

    Thursday, May 30, 2019 7:58 PM