365ITSupport
asked on
LDAPS access from external service
I would like to configure LDAPS from a 3rd party service that needs access to my AD. The domains internal name is "internaldom.int" and my external domain is "externaldom.com". I have a wildcard certificate SSL from DigiCert for "*.externaldom.com". I can configure my firewall to forward the LDAPS traffic from the the 3rd party service to my domain controller "mydc". My questions are:
1. How do I get "mydc.internaldom.int" to accept an LDAPS connection?
2. Can I use my wildcard certificate to achive this or do I need to buy one especially for the internal domain?
3. If using my wildcard certificate is not possible does this certificate request need to be created on "mydc"?
1. How do I get "mydc.internaldom.int" to accept an LDAPS connection?
2. Can I use my wildcard certificate to achive this or do I need to buy one especially for the internal domain?
3. If using my wildcard certificate is not possible does this certificate request need to be created on "mydc"?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Hi Brian,
Here's some more info:
1. I created a self-signed certificate and installed into the Computer | Personal Store.
2. I created an external DNS record for the server my-dc1.company.com that resolved to the external IP address for the DC on my firewall.
3. I configured my firewall to forward LDAPS connection from the 3rd party site to the my-dc1 server.
4. I created an internal DNS entry for my-dc1.company.com that resolved to the intenal IP address of the server.
Think that was about it. Hope that helps.
Here's some more info:
1. I created a self-signed certificate and installed into the Computer | Personal Store.
2. I created an external DNS record for the server my-dc1.company.com that resolved to the external IP address for the DC on my firewall.
3. I configured my firewall to forward LDAPS connection from the 3rd party site to the my-dc1 server.
4. I created an internal DNS entry for my-dc1.company.com that resolved to the intenal IP address of the server.
Think that was about it. Hope that helps.
thanks 365itsupport,
So what name did you place on the self signed cert was it the "my-dc1.company.com"?
Just want to confirm, before I go and install all the CA components on my server to create one certificate.
Thanks
Brian
So what name did you place on the self signed cert was it the "my-dc1.company.com"?
Just want to confirm, before I go and install all the CA components on my server to create one certificate.
Thanks
Brian
ASKER
It was issued to the internal FQDN of the DC. e.g. my-dc1.internal-domain.int
Sorry to be such a pain 365ITsupport,
Your answer was not what I expected, as such I am glad I asked.
Hopefully the last question;
If you run ldp.exe on the "my-dc1", and enter the my-dc1.company.com, port 636, enable SSL , I assume it fails?
I am therefore confused how this is working?.
I thought the point of the SSL Cert was to guarantee the host one was connecting to, and encrypt the data.
If your 3rd party service is connecting to "my-dc1.company.com" but gets a cert back from
"mydc.internaldom.int" would it not fail?
Or do you think the 3rd party service, is ignoring the cert for server verification and using it just for encryption?
Brian
Your answer was not what I expected, as such I am glad I asked.
Hopefully the last question;
If you run ldp.exe on the "my-dc1", and enter the my-dc1.company.com, port 636, enable SSL , I assume it fails?
I am therefore confused how this is working?.
I thought the point of the SSL Cert was to guarantee the host one was connecting to, and encrypt the data.
If your 3rd party service is connecting to "my-dc1.company.com" but gets a cert back from
"mydc.internaldom.int" would it not fail?
Or do you think the 3rd party service, is ignoring the cert for server verification and using it just for encryption?
Brian
ASKER
Hi Brian. No worries, it was a bit of trial and error to get this to work. I assume the 3rd party in this case, as you say is just looking for the certificate. It may vary depending on the requirements of the 3rd party. I think the following article may also help you:
http://social.technet.microsoft.com/Forums/windowsserver/en-US/815ac67f-f78d-4bc8-9750-0ac0648e4afa/ldaps-certificate-request-for-thirdparty-cert-question
Sorry I can't be more clear, as I say it was a bit of trial and error until it worked.
http://social.technet.microsoft.com/Forums/windowsserver/en-US/815ac67f-f78d-4bc8-9750-0ac0648e4afa/ldaps-certificate-request-for-thirdparty-cert-question
Sorry I can't be more clear, as I say it was a bit of trial and error until it worked.
You asked the question I was going to ask.
I see you indicated the links provided the answer to your question, but I am hoping you can help the rest of us by providing some detail on what you did.
You indicated you had the certificate, but the articles take about creating new ones - did you do this.
The articles also seem to have the FQDN as the internal server FQDN, not the external FQDN that would be required for the outside server to access the AD DC.
Where did you install the certificate - one article indicate Computer | Personal Store
Another indicated to place it in - NTDS Service's Personal certificate store.
If you could take a few minutes to outline how you got it to work, it would be appreciated.
Brian