• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1098
  • Last Modified:

LDAPS via internet certificate: include internal or external FQDN?

Hi,

I want to connect a mailfilter service (Mimecast) to our Active Directory with LDAPS via internet. I know I have to request a certificate. Regarding to the MS kb art. http://support.microsoft.com/kb/321051 I should include the FQDN of the domain controller. I guess this is the internal FQDN (dc01.myad.local). But Mimecast will connect via the internet. So, I'll make an external DNS entry: myldap.company.com, bound to a public IP adres linked to this domain controller (dc01.myad.local). Should I include the public DNS name in the certificate as well?, or just je public name, or just the internal name?

Thanks in advance!
0
MazarsAvR
Asked:
MazarsAvR
  • 2
1 Solution
 
FemSteenkampCommented:
you should have the public name as the DNS name

the internal should be a subject alternative name(SAN). make sure you add BOTH teh FQDN and netbios name as SAN
e.g
dc01
dco1.myad.local

ALSO make sure that you create the request for the external certificate on the DC where it will be installed, as the DC will need the private key in order to use it for LDAPS.  use teh command line utility to import the final cert ( as per the article you have) and not the GUI MMC snapin, and after the cert import when you use teh certificates snapin to look at the cert, it should show at teh bottom that the certificate includes teh private key

you must alos remember to remove teh exsiting selfsigne or selfenrolled certificates so that only the external certificate is on the server

0
 
MazarsAvRAuthor Commented:
I found the solution myself. The public DNS name was not required. Mimecast connects via IP address. Just the internal name of the domain controller should be in the CN of the certificate.
0
 
MazarsAvRAuthor Commented:
Found the answer myself by testing.
0

Featured Post

Creating Active Directory Users from a Text File

If your organization has a need to mass-create AD user accounts, watch this video to see how its done without the need for scripting or other unnecessary complexities.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now