ESS-IRL
asked on
Enabling port 636 for LDAP SSL
I'm trying to configure LDAP authentication with SSL. I've installed a certification authority (on our domain controller and yes I'm aware of the associated security risks) and issued certs and installed certs on the application server. I can get LDAP to work on port 389 but not on port 636 which I need for SSL. When I test the connection with the LDP tool I get this.
ld = ldap_sslinit("domainContro ller", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to domainController.
I think port 636 is not enabled. Does anyone now how to enable this port? I've patched the server for MS08-060 which I think may have disabled port 636.
ld = ldap_sslinit("domainContro
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to domainController.
I think port 636 is not enabled. Does anyone now how to enable this port? I've patched the server for MS08-060 which I think may have disabled port 636.
can you run that tool on the server itself?
ASKER
No I can't. I get the same error message when trying to use port 636.
ASKER
If it helps I just tried this from my application server to my domain controller.
C:\>telnet domainController 636
Connecting To domainController...Could not open connection to the host, on port 636:
Connect failed
C:\>
C:\>telnet domainController 636
Connecting To domainController...Could not open connection to the host, on port 636:
Connect failed
C:\>
you can use the tcpview tool to check if your server (run it on the domaincontroller) has that port open.
http://technet.microsoft.c om/en-us/s ysinternal s/bb897437 .aspx
Have you checked this already:
http://support.microsoft.c om/kb/3210 51/
http://technet.microsoft.c
Have you checked this already:
http://support.microsoft.c
ASKER
Thanks for this. I've gone through that microsoft kb alright and still no joy. I'll try that port tool and see what it says.
ASKER
When I run that tcpview tool I see no entry for 636. I'm wondering is that normal though. Would I only see 636 as being active when the service receives a LDAP request?
I ran portqry from the application server and see this:
C:\>portqry -n 10.0.0.1 -e 636
Querying target system called:
10.0.0.1
Attempting to resolve IP address to a name...
IP address resolved to domainController.myDomain. com
TCP port 636 (ldaps service): LISTENING
C:\>
This to me seems to say that the port is available for requests. This would seem to point me back to my configuration of my LDAPS certificates. Does that sounds about right?
I ran portqry from the application server and see this:
C:\>portqry -n 10.0.0.1 -e 636
Querying target system called:
10.0.0.1
Attempting to resolve IP address to a name...
IP address resolved to domainController.myDomain.
TCP port 636 (ldaps service): LISTENING
C:\>
This to me seems to say that the port is available for requests. This would seem to point me back to my configuration of my LDAPS certificates. Does that sounds about right?
tcpview should show you also listening ports. On the server of cause, not on the client
(Screenshot from my workstation, with tomcat running)
like-this.jpg
(Screenshot from my workstation, with tomcat running)
like-this.jpg
ASKER
Thanks. That link looks very useful. I'll work through that and post again after I've been through these checks.
ASKER
I ran this command on my application server:
certutil -v -urlfetch -verify serverssl.cer > output.txt
One thing that stands out in the output file is this.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)
-------------------------- ----------
Verifies against UNTRUSTED root
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
I'm thinking that my CA on the domain controller is not trusted by my application server. Do you kow how I check/rectify this?
As well as this when I run the LDP tool on the domain controller itself I can now successfully create an LDAP SLL connection.
certutil -v -urlfetch -verify serverssl.cer > output.txt
One thing that stands out in the output file is this.
A certificate chain processed, but terminated in a root certificate which is not trusted by the trust provider. 0x800b0109 (-2146762487)
--------------------------
Verifies against UNTRUSTED root
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.
I'm thinking that my CA on the domain controller is not trusted by my application server. Do you kow how I check/rectify this?
As well as this when I run the LDP tool on the domain controller itself I can now successfully create an LDAP SLL connection.
ASKER
This may also point to the same thing.
C:\>certutil -verifykeys
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
C:\>
C:\>certutil -verifykeys
CertUtil: No local Certification Authority; use -config option
CertUtil: No more data is available.
C:\>
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Well I just got this working. Yipee!!! I had to manually export the cert for my CA on the domain controller. I copied that onto the application server and imported it into the Trusted Root certification authorities on my applciation server using the certificates snap-in.
ASKER
Thanks for you help with this. I'll accept your solution and award the points.