Need help with LDAP SSL connection to 2003 Domain Controller

Hello,

I need help installing a certificate on a domain contriller for LDAPS communication.  I want client computers using LDAPS outside our network to communicate securely.  The problem I am having is that the self signed certificate on the DC is not considered a valid certificate for Outlook or Thunderbird and will not communicate properly.  We are trying to install a wildcard certificate with no success.

Can anyone help me?  Is it possible to use a wildcard certificate on a Windows 2003 Domain controller to communicate via LDAPS?

Thanks Galen
gwkleinAsked:
Who is Participating?

[Webinar] Streamline your web hosting managementRegister Today

x
 
naldiianConnect With a Mentor Commented:
With 2003 and 2008, the certificate used for LDAP over SSL must include the FQDN of the DC in the subject field or as a DNS name entry in the alternative names field, so while you cannot use a wildcard certificate, you could use a certificate with multiple alternative names in it that would include all of your DCs.
Alternatively (and more appropriately in my opinion) you could proxy the connection at a firewall or ISA server, or similar, and then the only thing needing to trust the certs on the DCs is the proxy device for the connection anyway. I am not sure why your Outlook clients or other mail applications would need to perform secure LDAP connections to DCs from outside the network anyway, so that is a little curious to me as well.
0
 
gwkleinAuthor Commented:
Thanks for input Naldiian,

We have considered a proxy LDAPS server.  We need LDAPS for outside Outlook and Thunderbird clients because we are using Icewarp mail server to query users in our organization.  I think Icewarp has LDAP proxy capabilities and it may be better to configure clients to query this instead.  Outlook and the newer version of Thunderbird will not allow you to accept and invalid certificate so we would like to install a valid internet certificate.

Galen
0
 
gwkleinAuthor Commented:
Naldiian,

After further investigation we discovered that IceWarp will pass on LDAPS queries to an internal DC.  We can install a cert on the mail server and use that as a proxy.  Thank you for your help.

Galen
0
 
naldiianCommented:
Sounds good - I haven't seen IceWarp, so I am curious now what it does. I will have to take a look at it.
0
All Courses

From novice to tech pro — start learning today.