question

PreethamAnandaram-7522 avatar image
0 Votes"
PreethamAnandaram-7522 asked PreethamAnandaram-7522 commented

Is there a way to make UserPrincipal.GetGroups() call use LDAPS (port 636) instead of LDAP (port 389)?

We are preparing for Microsoft's March AD update to only allow secure calls using LDAPS, and while checking our .Net code, I discovered that calls to UserPrincipal.GetGroups() appear to use LDAP (port 389) rather than LDAPS (port 636), even if the UserPrincipal object was created with a PrincipalContext established over LDAPS, like so:

 // Explicitly using LDAPS (port 636)
 PrincipalContext principalContext = new PrincipalContext(ContextType.Domain, "our.corpdomain.com:636", "DC=our,DC=corpdomain,DC=com", ContextOptions.Negotiate);
 UserPrincipal userPrincipal = UserPrincipal.FindByIdentity(principalContext, "someuser");

 // These calls still use LDAP (port 389)
 var groups = userPrincipal.GetGroups();

Does anyone know why this might happen and, if so, how to force GetGroups() call to use LDAPS? If they can't be forced, are there any workarounds for them?

Followed the code in below URL but, it does not provide me the MemberGroupID, only ("memberOf") group names are available. I need list of MemberGroupID's.
https://www.gabescode.com/active-directory/2018/06/08/finding-all-of-a-users-groups.html

Note: We have multiple forests and domains in the infrastructure

windows-active-directory
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

1 Answer

LimitlessTechnology-2700 avatar image
0 Votes"
LimitlessTechnology-2700 answered PreethamAnandaram-7522 commented

Hello @PreethamAnandaram-7522,

Thank you for your question and reaching out.

Please Follow these steps :

To set the client LDAP signing requirement by using a domain Group Policy Object

Select Start > Run, type mmc.exe, and then select OK.
Select File > Add/Remove Snap-in.
In the Add or Remove Snap-ins dialog box, select Group Policy Object Editor, and then select Add.
Select Browse, and then select Default Domain Policy (or the Group Policy Object for which you want to enable client LDAP signing).
Select OK.
Select Finish.
Select Close.
Select OK.
Select Default Domain Policy > Computer Configuration > Windows Settings > Security Settings > Local Policies, and then select Security Options.
In the Network security: LDAP client signing requirements Properties dialog box, select Require signing in the list, and then select OK.
In the Confirm Setting Change dialog box, select Yes.

For more information you can visit this link:
https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-signing-in-windows-server

If the reply was helpful,please don't forget to upvote or accept as answer.

Thanks,

Aradhya C

· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hi Aradhya, thanks for the reply, I have already set up the LDAP signing requirement by using a domain Group Policy Object.

All other calls to AD is using the port number 636 except UserPrincipal.GetGroups(). Through wireshark filter am able to see the call is still using the port number 389. Thanks

0 Votes 0 ·