Need help with LDAP SSL connection to 2003 Domain Controller

Hello,

I need help installing a certificate on a domain contriller for LDAPS communication.  I want client computers using LDAPS outside our network to communicate securely.  The problem I am having is that the self signed certificate on the DC is not considered a valid certificate for Outlook or Thunderbird and will not communicate properly.  We are trying to install a wildcard certificate with no success.

Can anyone help me?  Is it possible to use a wildcard certificate on a Windows 2003 Domain controller to communicate via LDAPS?

Thanks Galen
gwkleinAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

naldiianCommented:
With 2003 and 2008, the certificate used for LDAP over SSL must include the FQDN of the DC in the subject field or as a DNS name entry in the alternative names field, so while you cannot use a wildcard certificate, you could use a certificate with multiple alternative names in it that would include all of your DCs.
Alternatively (and more appropriately in my opinion) you could proxy the connection at a firewall or ISA server, or similar, and then the only thing needing to trust the certs on the DCs is the proxy device for the connection anyway. I am not sure why your Outlook clients or other mail applications would need to perform secure LDAP connections to DCs from outside the network anyway, so that is a little curious to me as well.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
gwkleinAuthor Commented:
Thanks for input Naldiian,

We have considered a proxy LDAPS server.  We need LDAPS for outside Outlook and Thunderbird clients because we are using Icewarp mail server to query users in our organization.  I think Icewarp has LDAP proxy capabilities and it may be better to configure clients to query this instead.  Outlook and the newer version of Thunderbird will not allow you to accept and invalid certificate so we would like to install a valid internet certificate.

Galen
0
gwkleinAuthor Commented:
Naldiian,

After further investigation we discovered that IceWarp will pass on LDAPS queries to an internal DC.  We can install a cert on the mail server and use that as a proxy.  Thank you for your help.

Galen
0
naldiianCommented:
Sounds good - I haven't seen IceWarp, so I am curious now what it does. I will have to take a look at it.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.