?
Solved

Cisco ASA 5505 & Windows Server 2012 - LDAP over SSL

Posted on 2013-01-15
20
Medium Priority
?
4,638 Views
Last Modified: 2013-12-24
So our Technology team performed an upgrade to our Domain Controllers yesterday.  We're now running Windows Server 2012 instead of Windows Server 2008.  This upgrade, while everything else appeared normal, broke our Cisco ASA VPN connections with AnyConnect.  After troubleshooting this morning with Cisco, they fixed it by unchecking "Enable LDAP over SSL" in our AAA Server settings on the ASDM.

So, my main question is this: what has changed with LDAP and Server 2012 -- why won't our ASA communicate with Server 2012 when LDAP over SSL is enabled?

Thanks!
0
Comment
Question by:workforceinsight
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 7
  • 4
  • 3
  • +2
20 Comments
 
LVL 6

Expert Comment

by:traoher
ID: 38780706
SSL LDAP is on port 636, you will have to check and make sure the local fw on the  2012 server accepts request coming to that port.

Also, if you had SSL LDAP port rule, you must change it to match the new 2012 server ip.

non-SSL LDAP is still on 389.
0
 

Author Comment

by:workforceinsight
ID: 38780720
Thanks, Traoher,

In our setup, Windows Firewall (and other firewall software, i.e. Endpoint Protection) was disabled and/or not yet installed.  Was SSL LDAP on 636 with Server 2008?
0
 
LVL 6

Expert Comment

by:traoher
ID: 38780775
Yes SSL LDAP was on 636 in 2008.  

Did the 2012 assume the same IP as the 2008 did?
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 

Author Comment

by:workforceinsight
ID: 38780791
Yep, same IP as the old domain controller.  Hmm -- I'll try it again and report back to you.
0
 

Author Comment

by:workforceinsight
ID: 38784951
Hi -- just tried it...

I put a tick in the box on the ASDM tool to "Enable LDAP over SSL" -- and it automatically changed the port in the box below to 636... but then the same "Login error."  Cisco was stumped on this one too. :-(
0
 
LVL 6

Expert Comment

by:traoher
ID: 38785082
from a computer on the network, can you telnet to the 2012 DC  on port 636?  If so, then port is open and the only thing left is protocol mismatch.  

You can also use wireshark to capture the data and see if you get anything meaningful, it things aren't buried inside SSL protocol, you would be able to see the error right on the capture.
0
 

Author Comment

by:workforceinsight
ID: 38794978
Thanks, Traoher,

I'll try this during my next scheduled maintenance next week and will report back to you -- thanks for your help so far!
0
 

Author Comment

by:workforceinsight
ID: 38878055
Hi, Traoher --

I apologize for the radio silence; I've been inundated with projects and am now revisiting this thread so we can close the issue and award points.

I tried telnetting to the 2012 DC on port 636, but receive this message:

Microsoft Telnet> open domaincontroller.internalnetwork.com [636]
Connecting To domaincontroller.internalnetwork.com...Could not open connection to the host,
 on port [636]: Connect failed

I tried putting Wireshark on this, but can't seem to get anything useful out of it. Any ideas?
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38905464
Hi,

Does the server still have the certificates needed to generate the SSL connection?

Has Group Policy changed which has modified the TLS version supported in Windows?

Regards,


RobMobility.
0
 
LVL 39

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 280 total points
ID: 38905526
I just did this a few weeks ago and the solution was to put the right type of cert in the personal cert store on the ad controller (I had to add the adcs role as its the same box for me).

This helped me get the cert and cert template right:
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

I know it's for 08 but it worked for me for 12
0
 
LVL 37

Accepted Solution

by:
ArneLovius earned 120 total points
ID: 38906258
I would guess that when they "upgraded" to 2012, they didn't enable LDAPS with a relevant certificate. You can check with netstat on the Domain Controller to see if it listening on port 636.
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906260
You can also try connecting to the DC using an LDAP browser that supports LDAPS, I quite like the Softerra LDAP browser.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38906287
Hi,

You should be able to use LDP.exe (which I believe is installed by default) to confirm that LDAPS is listening properly on TCP 636.

You might also want to enable firewall logging to see if the incoming packets are being dropped or allowed?

Regards,


RobMobility.
0
 

Author Comment

by:workforceinsight
ID: 38906611
Thanks for all of the help!  I'm working through the suggested comments posted.  

Several points:

1. netstat is showing LDAP is listening on port 636;
2. Windows Firewall is (and has been turned off);
3. RobMobility asked, "Does the server still have the certificates needed to generate the SSL connection?" -- with our prior 2008 setup, no certificate was needed. Looks like it may be needed with 2012.

Stay tuned.
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 1600 total points
ID: 38906630
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38906636
Hi,

Unless you're using Dynamic Access Policies or something else that is reading LDAP attributes, you could use Kerberos instead?

Regards,


RobMobility.
0
 

Author Closing Comment

by:workforceinsight
ID: 38906835
Followed this article: http://gregtechnobabble.blogspot.co.uk/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

Since LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller, I was good to go once I followed the instructions on that URL, above, and rebooted.

Thanks, Experts!!
0
 
LVL 37

Expert Comment

by:ArneLovius
ID: 38906887
The ASA should have (and trust) the root certificate that is used on the LDAP connection.

Now I'm in front f a computer instead of just on my iphone...

If the ASA was configured with just the certificate used on the LDAP server, then this certificate may have changed.

I would open a SSH session to the ASA,

enable
term mon
! forwards the console to your SSH session
debug ldap 255
! the highest level of LDAP debug

now try to connect and see if the error is obvious

If it isn't obvious, copy the output to a text file, do the usual checks for information that you might not want published ion here, and attach the text file

when you have completed the test, do

no debug ldap
0

Featured Post

Percona Live Europe 2017 | Sep 25 - 27, 2017

The Percona Live Open Source Database Conference Europe 2017 is the premier event for the diverse and active European open source database community, as well as businesses that develop and use open source database software.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lotus Notes has been used since a very long time as an e-mail client and is very popular because of it's unmatched security. In this article we are going to learn about  RRV Bucket corruption and understand various methods to Fix "RRV Bucket Corrupt…
This article explains the fundamentals of industrial networking which ultimately is the backbone network which is providing communications for process devices like robots and other not so interesting stuff.
Viewers will learn how to properly install and use Secure Shell (SSH) to work on projects or homework remotely. Download Secure Shell: Follow basic installation instructions: Open Secure Shell and use "Quick Connect" to enter credentials includi…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

801 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question