• 7
name

A PHP Error was encountered

Severity: Notice

Message: Undefined index: userid

Filename: views/question.php

Line Number: 191

Backtrace:

File: /home/prodcxja/public_html/questions/application/views/question.php
Line: 191
Function: _error_handler

File: /home/prodcxja/public_html/questions/application/controllers/Questions.php
Line: 433
Function: view

File: /home/prodcxja/public_html/questions/index.php
Line: 315
Function: require_once

name Punditsdkoslkdosdkoskdo

Using SSL to Encrypt LDAP Queries - Windows 2008 R2

I'm trying to secure our domain so when LDAP queries are made from another computer they are encrypted with SSL.

I followed this guide even thought I am using Windows 2008 R2.

I added the Active Directory Certificate Services role with mostly default settings, made sure it's Enterprise Root CA (as the guide suggests)

I login to a Windows 7 computer (all firewalls disabled), and using the Java-based app JXplorer (is there anything better?) doing some LDAP querie (or trying, at least), the problem is I can't seem to connect to the server using anything but GSSAPI (don't even know what that is), I tried other options but doesn't connect.

The guide doesn't mention anything else other than installing CA on the server, I'm wondering if there are any other configurations that need to be performed in order to force SSL for LDAP queries.

Many thanks.

enter image description here

You never actually say you're running Active Directory on 2008 R2, but I'll assume that's the case.

First off, you do not need to install Certificate Services on your domain controller or make it a Certification Authority. Your DC just needs a single "valid" SSL certificate assigned to it that your LDAP client "trusts".

There are a variety of ways to get a certificate for your DC. Installing a Certification Authority (like AD Certificate Services) and using it to generate your "domain controller" certificate is one way, but not the only way. And it is generally considered unwise to make your domain controller the certification authority. Put it on a dedicated machine, instead.

You can also get a certificate from a third party CA just like you would for a web server. It's a little more complicated because a domain controller certificate has different attributes it needs in order to be "valid". Here's a link from Microsoft on the subject: How to enable LDAP over SSL with a third-party certification authority

Requirements for an LDAPS certificate

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.

Once you have your certificate installed and working on the DC, you should be able to point your LDAP client to port 636 or 3269 (for GC connection) and be good to go.

  • 1
Reply Report
    • +1 But a quick note. A domain integrated CA makes certificates very simple. DCs will auto-enroll, by default, and you can configure certificate trusts, and auto-enrollment, for any class. Definitely consider using a non-DC to be the CA though.
      • 2
    • You give good general information, but I need the specifics, once I install "AD Certificate Services", how do I use it to generate the "domain controller" certificate?
    • Once I have the certificate installed and working on the DC, and point the LDAP clients to port 636, will the non-SSL, default, port still work? If yes, is there a way to restrict LDAP queries to SSL only?
    • How to generate certificates using ADCS should probably be it's own question. It's kind of a 101 topic. And like jscott said, your DCs should auto-enroll if your environment hasn't been modified too much from the default config. Once a DC is using a certificate the non-SSL ports (389 and 3268) do still work. But there's a group policy setting you can set to require LDAP signing. More info here

Trending Tags