LDAPS works on Visual Studio 2008 but does not work on IIS 5.1

Question

I am using C# to authenticate users to my app as follows:

LdapConnection connection = null;
       try
       {                
           using (connection = new LdapConnection(Configuration.JonahLdapServer))
           {
               connection.Credential = new NetworkCredential(userName, password, Configuration.JonahDomain);
               connection.AuthType = AuthType.Basic;
               connection.SessionOptions.SecureSocketLayer = true;
               connection.SessionOptions.VerifyServerCertificate = 
                   new VerifyServerCertificateCallback(AlwaysTrustCertificateDelegate);
               connection.Bind();
               return true;
           }
       }

When I run this in VS 2008, it works just fine. However, when I deploy the application to IIS 5.1, it gives me the following stacktrace:

System.DirectoryServices.Protocols.LdapException: The LDAP server is unavailable. System.DirectoryServices.Protocols.LdapConnection.Connect() at System.DirectoryServices.Protocols.LdapConnection.BindHelper(NetworkCredential newCredential, Boolean needSetCredential) at System.DirectoryServices.Protocols.LdapConnection.Bind() at Jonahgroup.Lychee.Presentation.Security.SecurityManager.AuthenticateUser(String userName, String password)

It should be noted that if I run the code without SSL, it works fine on both IIS and VS.

Any help would be appreciated.

Answer 1

It should be noted that if I run the code without SSL, it works fine on both IIS and VS.

The would imply that the problem is related more to your ssl configuration than anything else, though why you're running this on a windows xp (iis 5.1), which is a desktop-class system, rather than a windows server edition is not clear.

Answer 2

The IIS account does not have access to the certificate store. You can either change the IIS account to run as yourself (not recommended for a production deployment) or grant the current IIS account access to each of your certificates (under c:\Documents And Settings\All Users\Application Data\Microsoft\Crypto\RSA).

Incidentally, I found a similar thread in which the author was able to switch the IIS account to use ASPNET from the IUSR_ account.

http://www.velocityreviews.com/forums/t109404-aspnet-and-ldap.html

Answer 3

Turns out everything works fine when the application is deployed to an IIS 6.0 server.

Thanks for all those who helped.