Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Programming > ASP .Net > ASP .Net Security > ASP.NET and SASL

Reply
Thread Tools

ASP.NET and SASL

 
 
Amar
Guest
Posts: n/a
 
      01-05-2006
Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
operations necessary to use an authorized Enterprise directory?
If yes, the can you please provide me with some example or some useful links?
Thanks in Advance!
 
Reply With Quote
 
 
 
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      01-05-2006
Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All LDAP
bind types supported by wldap32.dll are available there.

System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
certificate auth via SASL external.

None of this is related to ASP.NET at all though.

Joe K.

"Amar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
> operations necessary to use an authorized Enterprise directory?
> If yes, the can you please provide me with some example or some useful
> links?
> Thanks in Advance!



 
Reply With Quote
 
 
 
 
Amar
Guest
Posts: n/a
 
      01-05-2006
Thanks again Joe.
I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
if it works for .Net 2.0
1. Why do you say that none of this is related to ASP.NET?
2. Also, can you give me an example about "client certificate auth via SASL
external" that you say is supported by System.DirectoryServices (ADSI-based
LDAP)?
Or point me towards links with the same?
Thank you.

"Joe Kaplan (MVP - ADSI)" wrote:

> Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All LDAP
> bind types supported by wldap32.dll are available there.
>
> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
> certificate auth via SASL external.
>
> None of this is related to ASP.NET at all though.
>
> Joe K.
>
> "Amar" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the LDAPv3
> > operations necessary to use an authorized Enterprise directory?
> > If yes, the can you please provide me with some example or some useful
> > links?
> > Thanks in Advance!

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      01-05-2006
If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
would need a different tool to write .NET 2.0 code, although you can compile
directly with the platform SDK.

I say this is not related to ASP.NET as all of the functionality in question
is in the System.DirectoryServices assembly and ADSI and Windows LDAP (and
other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
LDAP, but they aren't really different from other .NET apps that might want
to do so except that they have more complicated security scenarios in some
cases.

If you want to do client certificate authentication with LDAP, this is
possible and supposedly works with ADSI (and thus System.DirectoryServices).
I've never tested it though. You basically need to configure your
DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
need to configure the ASP.NET account to have access to the client
certificate and private key. The latter is the hard part. Note that you
don't control the SASL stuff directly though with this. It is all done at a
lower level.

What are you specifically trying to accomplish? Do you need to use a
special SASL provider with an LDAP bind or what?

Joe K.

"Amar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Thanks again Joe.
> I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
> if it works for .Net 2.0
> 1. Why do you say that none of this is related to ASP.NET?
> 2. Also, can you give me an example about "client certificate auth via
> SASL
> external" that you say is supported by System.DirectoryServices
> (ADSI-based
> LDAP)?
> Or point me towards links with the same?
> Thank you.
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All
>> LDAP
>> bind types supported by wldap32.dll are available there.
>>
>> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
>> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
>> certificate auth via SASL external.
>>
>> None of this is related to ASP.NET at all though.
>>
>> Joe K.
>>
>> "Amar" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
>> > LDAPv3
>> > operations necessary to use an authorized Enterprise directory?
>> > If yes, the can you please provide me with some example or some useful
>> > links?
>> > Thanks in Advance!

>>
>>
>>



 
Reply With Quote
 
Amar
Guest
Posts: n/a
 
      01-06-2006
Hi,
Thank you Joe.
I am trying to accomplish the following:
We have a central university LDAP server. My department has a webserver with
IIS6/Windows 2003. We got 2 certificates from the university. One was a SSL
Server certificate and another was a Middleware Client Certificate. My Sys
Admin installed both these on the Webserver. We checked the box to make the
site SSL encrypted too.
Now to fetch some important data from the university LDAP server the
middleware group say that my application (in this case ASP.NET) needs to
support SSL or TLS with client certificates and should be able to somehow
perform a SASL EXTERNAL Bind with the LDAP Server. They have posted some
examples in java, perl, python. Please tell me if you want to read details
about those ,i can send you the link.
Our majorissue is:
My Sys admin and me are doing this client certificate thing for the first
time. So as per our thinking there has to be some way in the ASP.NET code
that tells the application to use the particular client certificate (and the
private key in it) while trying to connect to the LDAP server. We are not
able to figure this out! If you can give us a step by step instructions to
achieve this we would appreciate it!

Thanks in Advance!


"Joe Kaplan (MVP - ADSI)" wrote:

> If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
> would need a different tool to write .NET 2.0 code, although you can compile
> directly with the platform SDK.
>
> I say this is not related to ASP.NET as all of the functionality in question
> is in the System.DirectoryServices assembly and ADSI and Windows LDAP (and
> other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
> LDAP, but they aren't really different from other .NET apps that might want
> to do so except that they have more complicated security scenarios in some
> cases.
>
> If you want to do client certificate authentication with LDAP, this is
> possible and supposedly works with ADSI (and thus System.DirectoryServices).
> I've never tested it though. You basically need to configure your
> DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
> need to configure the ASP.NET account to have access to the client
> certificate and private key. The latter is the hard part. Note that you
> don't control the SASL stuff directly though with this. It is all done at a
> lower level.
>
> What are you specifically trying to accomplish? Do you need to use a
> special SASL provider with an LDAP bind or what?
>
> Joe K.
>
> "Amar" <(E-Mail Removed)> wrote in message
> news:(E-Mail Removed)...
> > Thanks again Joe.
> > I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont know
> > if it works for .Net 2.0
> > 1. Why do you say that none of this is related to ASP.NET?
> > 2. Also, can you give me an example about "client certificate auth via
> > SASL
> > external" that you say is supported by System.DirectoryServices
> > (ADSI-based
> > LDAP)?
> > Or point me towards links with the same?
> > Thank you.
> >
> > "Joe Kaplan (MVP - ADSI)" wrote:
> >
> >> Have you looked at System.DirectoryServices.Protocols in .NET 2.0? All
> >> LDAP
> >> bind types supported by wldap32.dll are available there.
> >>
> >> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
> >> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
> >> certificate auth via SASL external.
> >>
> >> None of this is related to ASP.NET at all though.
> >>
> >> Joe K.
> >>
> >> "Amar" <(E-Mail Removed)> wrote in message
> >> news:(E-Mail Removed)...
> >> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
> >> > LDAPv3
> >> > operations necessary to use an authorized Enterprise directory?
> >> > If yes, the can you please provide me with some example or some useful
> >> > links?
> >> > Thanks in Advance!
> >>
> >>
> >>

>
>
>

 
Reply With Quote
 
Joe Kaplan \(MVP - ADSI\)
Guest
Posts: n/a
 
      01-06-2006
The only way to specify specific client certificates is with
System.DirectoryServices.Protocols. When you are using
System.DirectoryServices, the LDAP layer will simply try to find an
appropriate client certificate based on the certificates that the server
says that it trusts during the SSL/LDAP negotiation and send that
certificate.

Typically, the hard part of this is configuring the appropriate process
account so that the certificate is available with the private key. Normally
for ASP.NET apps, you need to add the certificate to the machine store and
make sure the private key is available with the certificate there and that
the account accessing it has rights to read the private key.

Before you even try to do this in a web application, why don't you try to
get it working in a console application first? That way you can install the
certificate into your local store and see if that works.

The only thing you would do from a code perspective is specify
AuthenticationTypes.SecureSocketsLayer in your DirectoryEntry constructor.
I'm not really sure what if anything you should specify for the username and
password though. I've never done client cert auth with LDAP, I've only
discussed it a bit with other experts.

Joe K.

"Amar" <(E-Mail Removed)> wrote in message
news:(E-Mail Removed)...
> Hi,
> Thank you Joe.
> I am trying to accomplish the following:
> We have a central university LDAP server. My department has a webserver
> with
> IIS6/Windows 2003. We got 2 certificates from the university. One was a
> SSL
> Server certificate and another was a Middleware Client Certificate. My Sys
> Admin installed both these on the Webserver. We checked the box to make
> the
> site SSL encrypted too.
> Now to fetch some important data from the university LDAP server the
> middleware group say that my application (in this case ASP.NET) needs to
> support SSL or TLS with client certificates and should be able to somehow
> perform a SASL EXTERNAL Bind with the LDAP Server. They have posted some
> examples in java, perl, python. Please tell me if you want to read details
> about those ,i can send you the link.
> Our majorissue is:
> My Sys admin and me are doing this client certificate thing for the first
> time. So as per our thinking there has to be some way in the ASP.NET code
> that tells the application to use the particular client certificate (and
> the
> private key in it) while trying to connect to the LDAP server. We are not
> able to figure this out! If you can give us a step by step instructions to
> achieve this we would appreciate it!
>
> Thanks in Advance!
>
>
> "Joe Kaplan (MVP - ADSI)" wrote:
>
>> If you are using VS 2003, you cannot dev for .NET 2.0 unfortunately. You
>> would need a different tool to write .NET 2.0 code, although you can
>> compile
>> directly with the platform SDK.
>>
>> I say this is not related to ASP.NET as all of the functionality in
>> question
>> is in the System.DirectoryServices assembly and ADSI and Windows LDAP
>> (and
>> other lower layers like auth, network, DNS, etc.). ASP.NET apps can use
>> LDAP, but they aren't really different from other .NET apps that might
>> want
>> to do so except that they have more complicated security scenarios in
>> some
>> cases.
>>
>> If you want to do client certificate authentication with LDAP, this is
>> possible and supposedly works with ADSI (and thus
>> System.DirectoryServices).
>> I've never tested it though. You basically need to configure your
>> DirectoryEntry objects to use AuthenticationTypes.SecureSocketsLayer and
>> need to configure the ASP.NET account to have access to the client
>> certificate and private key. The latter is the hard part. Note that you
>> don't control the SASL stuff directly though with this. It is all done
>> at a
>> lower level.
>>
>> What are you specifically trying to accomplish? Do you need to use a
>> special SASL provider with an LDAP bind or what?
>>
>> Joe K.
>>
>> "Amar" <(E-Mail Removed)> wrote in message
>> news:(E-Mail Removed)...
>> > Thanks again Joe.
>> > I am using .NET 1.1. Since, i am using Visual studio 2003, and i dont
>> > know
>> > if it works for .Net 2.0
>> > 1. Why do you say that none of this is related to ASP.NET?
>> > 2. Also, can you give me an example about "client certificate auth via
>> > SASL
>> > external" that you say is supported by System.DirectoryServices
>> > (ADSI-based
>> > LDAP)?
>> > Or point me towards links with the same?
>> > Thank you.
>> >
>> > "Joe Kaplan (MVP - ADSI)" wrote:
>> >
>> >> Have you looked at System.DirectoryServices.Protocols in .NET 2.0?
>> >> All
>> >> LDAP
>> >> bind types supported by wldap32.dll are available there.
>> >>
>> >> System.DirectoryServices (ADSI-based LDAP) supports a smaller subset
>> >> including Windows negotiate auth (GSS-SPNEGO SASL provider) and client
>> >> certificate auth via SASL external.
>> >>
>> >> None of this is related to ASP.NET at all though.
>> >>
>> >> Joe K.
>> >>
>> >> "Amar" <(E-Mail Removed)> wrote in message
>> >> news:(E-Mail Removed)...
>> >> > Does ASP.NET support SASL EXTERNAL binds? Does ASP.Net support the
>> >> > LDAPv3
>> >> > operations necessary to use an authorized Enterprise directory?
>> >> > If yes, the can you please provide me with some example or some
>> >> > useful
>> >> > links?
>> >> > Thanks in Advance!
>> >>
>> >>
>> >>

>>
>>
>>



 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Net::SMTP_auth and Authen::SASL / PPM time_error@hotmail.com Perl Misc 1 03-11-2009 04:56 PM
implementing user based sasl mechanism sasl_novice Java 0 05-30-2008 05:17 AM
LDAP and SASL Amar ASP .Net Security 3 12-30-2005 05:26 AM
ssue on Net::LDAP sasl issue on windows 2000. Durairaj Avasi Perl Misc 1 04-09-2004 05:12 PM
LDAP_STRONG_AUTH_REQUIRED sasl issue with open ldap. Durairaj Avasi Perl 0 04-09-2004 02:08 PM



Advertisments