Solved

Cisco ASA 5505 & Windows Server 2012 - LDAP over SSL

Posted on 2013-01-15
20
4,290 Views
Last Modified: 2013-12-24
So our Technology team performed an upgrade to our Domain Controllers yesterday.  We're now running Windows Server 2012 instead of Windows Server 2008.  This upgrade, while everything else appeared normal, broke our Cisco ASA VPN connections with AnyConnect.  After troubleshooting this morning with Cisco, they fixed it by unchecking "Enable LDAP over SSL" in our AAA Server settings on the ASDM.

So, my main question is this: what has changed with LDAP and Server 2012 -- why won't our ASA communicate with Server 2012 when LDAP over SSL is enabled?

Thanks!
0
Comment
Question by:workforceinsight
  • 7
  • 4
  • 3
  • +2
20 Comments
 
LVL 6

Expert Comment

by:traoher
ID: 38780706
SSL LDAP is on port 636, you will have to check and make sure the local fw on the  2012 server accepts request coming to that port.

Also, if you had SSL LDAP port rule, you must change it to match the new 2012 server ip.

non-SSL LDAP is still on 389.
0
 

Author Comment

by:workforceinsight
ID: 38780720
Thanks, Traoher,

In our setup, Windows Firewall (and other firewall software, i.e. Endpoint Protection) was disabled and/or not yet installed.  Was SSL LDAP on 636 with Server 2008?
0
 
LVL 6

Expert Comment

by:traoher
ID: 38780775
Yes SSL LDAP was on 636 in 2008.  

Did the 2012 assume the same IP as the 2008 did?
0
 

Author Comment

by:workforceinsight
ID: 38780791
Yep, same IP as the old domain controller.  Hmm -- I'll try it again and report back to you.
0
 

Author Comment

by:workforceinsight
ID: 38784951
Hi -- just tried it...

I put a tick in the box on the ASDM tool to "Enable LDAP over SSL" -- and it automatically changed the port in the box below to 636... but then the same "Login error."  Cisco was stumped on this one too. :-(
0
 
LVL 6

Expert Comment

by:traoher
ID: 38785082
from a computer on the network, can you telnet to the 2012 DC  on port 636?  If so, then port is open and the only thing left is protocol mismatch.  

You can also use wireshark to capture the data and see if you get anything meaningful, it things aren't buried inside SSL protocol, you would be able to see the error right on the capture.
0
 

Author Comment

by:workforceinsight
ID: 38794978
Thanks, Traoher,

I'll try this during my next scheduled maintenance next week and will report back to you -- thanks for your help so far!
0
 

Author Comment

by:workforceinsight
ID: 38878055
Hi, Traoher --

I apologize for the radio silence; I've been inundated with projects and am now revisiting this thread so we can close the issue and award points.

I tried telnetting to the 2012 DC on port 636, but receive this message:

Microsoft Telnet> open domaincontroller.internalnetwork.com [636]
Connecting To domaincontroller.internalnetwork.com...Could not open connection to the host,
 on port [636]: Connect failed

I tried putting Wireshark on this, but can't seem to get anything useful out of it. Any ideas?
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38905464
Hi,

Does the server still have the certificates needed to generate the SSL connection?

Has Group Policy changed which has modified the TLS version supported in Windows?

Regards,


RobMobility.
0
Is Your AD Toolbox Looking More Like a Toybox?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 70 total points
ID: 38905526
I just did this a few weeks ago and the solution was to put the right type of cert in the personal cert store on the ad controller (I had to add the adcs role as its the same box for me).

This helped me get the cert and cert template right:
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

I know it's for 08 but it worked for me for 12
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 30 total points
ID: 38906258
I would guess that when they "upgraded" to 2012, they didn't enable LDAPS with a relevant certificate. You can check with netstat on the Domain Controller to see if it listening on port 636.
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38906260
You can also try connecting to the DC using an LDAP browser that supports LDAPS, I quite like the Softerra LDAP browser.
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38906287
Hi,

You should be able to use LDP.exe (which I believe is installed by default) to confirm that LDAPS is listening properly on TCP 636.

You might also want to enable firewall logging to see if the incoming packets are being dropped or allowed?

Regards,


RobMobility.
0
 

Author Comment

by:workforceinsight
ID: 38906611
Thanks for all of the help!  I'm working through the suggested comments posted.  

Several points:

1. netstat is showing LDAP is listening on port 636;
2. Windows Firewall is (and has been turned off);
3. RobMobility asked, "Does the server still have the certificates needed to generate the SSL connection?" -- with our prior 2008 setup, no certificate was needed. Looks like it may be needed with 2012.

Stay tuned.
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 400 total points
ID: 38906630
0
 
LVL 25

Expert Comment

by:RobMobility
ID: 38906636
Hi,

Unless you're using Dynamic Access Policies or something else that is reading LDAP attributes, you could use Kerberos instead?

Regards,


RobMobility.
0
 

Author Closing Comment

by:workforceinsight
ID: 38906835
Followed this article: http://gregtechnobabble.blogspot.co.uk/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

Since LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller, I was good to go once I followed the instructions on that URL, above, and rebooted.

Thanks, Experts!!
0
 
LVL 36

Expert Comment

by:ArneLovius
ID: 38906887
The ASA should have (and trust) the root certificate that is used on the LDAP connection.

Now I'm in front f a computer instead of just on my iphone...

If the ASA was configured with just the certificate used on the LDAP server, then this certificate may have changed.

I would open a SSH session to the ASA,

enable
term mon
! forwards the console to your SSH session
debug ldap 255
! the highest level of LDAP debug

now try to connect and see if the error is obvious

If it isn't obvious, copy the output to a text file, do the usual checks for information that you might not want published ion here, and attach the text file

when you have completed the test, do

no debug ldap
0

Featured Post

Control application downtime with dependency maps

Visualize the interdependencies between application components better with Applications Manager's automated application discovery and dependency mapping feature. Resolve performance issues faster by quickly isolating problematic components.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this article, we will see the basic design consideration while designing a Multi-tenant web application in a simple manner. Though, many frameworks are available in the market to develop a multi - tenant application, but do they provide data, cod…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
In this Micro Tutorial viewers will learn how to restore single file or folder from Bare Metal backup image of their system. Tutorial shows how to restore files and folders from system backup. Often it is not needed to restore entire system when onl…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…

863 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

20 Experts available now in Live!

Get 1:1 Help Now