views:

468

answers:

2

We have written an authentication provider for a SharePoint web application which can requests multiple LDAP directories.

One of the LDAP server have to be requested via SSL. So we imported the CA certificate which was used to sign the LDAP server's certificate into the certificate store of the SharePoint server.

The following code snippet shows how we authenticate an user. The passed credentials (account, password) belong to the user we want to authenticate.

 var entry = new DirectoryEntry("LDAP://<ldap-server-address>", "cn=account,ou=sub,o=xyz,c=de", "password", AuthenticationTypes.SecureSocketsLayer);
 var searcher = new DirectorySearcher(entry);                
 var found = searcher.FindOne();

When the code is processed, the call to searcher.FindOne() throws following exception.

System.Runtime.InteropServices.COMException (0x80072035): The server is unwilling to process the request

What circumstance can lead to this error?

UPDATE:

I found some information about the error message. There the problem seems to be the certificate store, as the user has only stored the certificate in the in the user's store and not in the computer's store. Unfortunately we've already stored it there. So could this be still a certificate issue?

UPDATE/SOLUTION:

Actually the problem is solved. It seems as if the root CA certificate was imported correctly but the error messages the LDAP server responded was caused by an expired user account our customer gave us for testing.

A: 

It's possible your certificate is not being served by a fully trusted CA. Have you gone into the trust relationships for the certificate mmc and established the CA server as a trusted root authority on the LDAP server?

EDIT: Also of note, it's possible that the reported name of the server is not matching the certificate being passed. You might want to check the logs of the LDAP server to make sure that the server name is being reported identically to the certificate listing.

Joel Etherton
We don't have administrative access to the LDAP server, because it's the server of our customer who also gave us the certificate.
Flo
Actually I just saw something. If you're using LDAP secure you can't use LDAP://, you need to use LDAPS://. Otherwise it'll send plaintext credentials when they should be encrypted.
Joel Etherton
Ok, I'll give it a try. Another thing I'm not sure about is whether I stored the certificate in the right store. I put it into the computer's store. I think there it should be accessible for the authentication provider. To check check this I tried to access the LDAP via IE and noticed that the LDAP server's certificate got validated. So I think the certificate should be in the right place when the IE could access it for validation purposes.
Flo
A: 

I believe this error can occur when the user under modification is disabled.

Try enabling the user and retrying the modification.

Ben Aston