Solved

LDAP over SSL and Windows 2008

Posted on 2010-11-18
6
1,462 Views
Last Modified: 2012-08-13
Hi Chaps,

I'm trying to set up LDAP over SSL on a Windows 2008 AD server so that we can secure use LDAP to authenticate with our web servers.

However all the instructions that I have found refer to using your own CA on another server. I want to use a 3rd party SSL cert.

Does anyone know where I can get instructions? Specifically I need to know how to create the SSL request and then import the certificate. The Certificate Enrollment wizard just reports "Certificate types are not available" so I'm guessing that I shouldn't be using that.

Olly
0
Comment
Question by:stonneway
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
6 Comments
 
LVL 21

Expert Comment

by:snusgubben
ID: 34165286
You use certreq to make the request:

http://technet.microsoft.com/en-us/library/cc725793(WS.10).aspx

How to use a 3.party certificate:

http://support.microsoft.com/kb/321051
0
 
LVL 1

Author Comment

by:stonneway
ID: 34165301
Thanks. I've just been told that LDAPs wont work externally as the SSL cert *HAS* to be in the name of the local FQDN (that is server.mydomain.local). What we then need is something like MS TMG to do SSL redirection and sit on the edge of our internal network.

Can anyone confirm this?
Olly
0
 
LVL 21

Expert Comment

by:snusgubben
ID: 34165385
You have to use the DC's FQDN, so LDAPS traffic will only work inside your domain.

A TMG or ISA server that is a domain member in a DMZ (just infront of the web servers) would probably make life easier.
0
Office 365 Training for Admins - 7 Day Trial

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

 
LVL 33

Accepted Solution

by:
Dave Howe earned 500 total points
ID: 34165709
You can either use a SAN certificate to support the extra names, or more commonly, use a TMG/ISA to "front" the connection with a certificate, then just do plain non-encrypted LDAP to the Win2008 server.
0
 
LVL 31

Expert Comment

by:Paranormastic
ID: 34201044
Technically the name should match - for anything else that uses certs that is the case.  However, for LDAPS I have seen very few clients that actually pay attention to the name - usually they just need to trust the root cert that issued the server cert, about 50/50 for CRL checking.  You can get a commercial cert (can probably use a free trusted cert from startcom.org, else try godaddy) for your commercial .com, etc., namespace for a dummy servername (e.g. ldaps.yourdomain.com) and that should do the trick.
0
 
LVL 33

Expert Comment

by:Dave Howe
ID: 34205289
few mail servers seem to care either (I note with approval recent versions of exchange DO care, but only if told to)

I guess it depends on the target usage - if the contacting server doesn't care, save yourself the cash and trouble and just generate your own self-signed SAN cert using http://sourceforge.net/projects/xca

if it DOES care, either use a SAN certificate or front using TMG/ISA
0

Featured Post

MS Dynamics Made Instantly Simpler

Make Your Microsoft Dynamics Investment Count  & Drastically Decrease Training Time by Providing Intuitive Step-By-Step WalkThru Tutorials.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
Suggested Courses

635 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question