Solved

Cisco ASA 5505 & Windows Server 2012 - LDAP over SSL

Posted on 2013-01-15
20
4,236 Views
Last Modified: 2013-12-24
So our Technology team performed an upgrade to our Domain Controllers yesterday.  We're now running Windows Server 2012 instead of Windows Server 2008.  This upgrade, while everything else appeared normal, broke our Cisco ASA VPN connections with AnyConnect.  After troubleshooting this morning with Cisco, they fixed it by unchecking "Enable LDAP over SSL" in our AAA Server settings on the ASDM.

So, my main question is this: what has changed with LDAP and Server 2012 -- why won't our ASA communicate with Server 2012 when LDAP over SSL is enabled?

Thanks!
0
Comment
Question by:workforceinsight
  • 7
  • 4
  • 3
  • +2
20 Comments
 
LVL 6

Expert Comment

by:traoher
Comment Utility
SSL LDAP is on port 636, you will have to check and make sure the local fw on the  2012 server accepts request coming to that port.

Also, if you had SSL LDAP port rule, you must change it to match the new 2012 server ip.

non-SSL LDAP is still on 389.
0
 

Author Comment

by:workforceinsight
Comment Utility
Thanks, Traoher,

In our setup, Windows Firewall (and other firewall software, i.e. Endpoint Protection) was disabled and/or not yet installed.  Was SSL LDAP on 636 with Server 2008?
0
 
LVL 6

Expert Comment

by:traoher
Comment Utility
Yes SSL LDAP was on 636 in 2008.  

Did the 2012 assume the same IP as the 2008 did?
0
 

Author Comment

by:workforceinsight
Comment Utility
Yep, same IP as the old domain controller.  Hmm -- I'll try it again and report back to you.
0
 

Author Comment

by:workforceinsight
Comment Utility
Hi -- just tried it...

I put a tick in the box on the ASDM tool to "Enable LDAP over SSL" -- and it automatically changed the port in the box below to 636... but then the same "Login error."  Cisco was stumped on this one too. :-(
0
 
LVL 6

Expert Comment

by:traoher
Comment Utility
from a computer on the network, can you telnet to the 2012 DC  on port 636?  If so, then port is open and the only thing left is protocol mismatch.  

You can also use wireshark to capture the data and see if you get anything meaningful, it things aren't buried inside SSL protocol, you would be able to see the error right on the capture.
0
 

Author Comment

by:workforceinsight
Comment Utility
Thanks, Traoher,

I'll try this during my next scheduled maintenance next week and will report back to you -- thanks for your help so far!
0
 

Author Comment

by:workforceinsight
Comment Utility
Hi, Traoher --

I apologize for the radio silence; I've been inundated with projects and am now revisiting this thread so we can close the issue and award points.

I tried telnetting to the 2012 DC on port 636, but receive this message:

Microsoft Telnet> open domaincontroller.internalnetwork.com [636]
Connecting To domaincontroller.internalnetwork.com...Could not open connection to the host,
 on port [636]: Connect failed

I tried putting Wireshark on this, but can't seem to get anything useful out of it. Any ideas?
0
 
LVL 25

Expert Comment

by:RobMobility
Comment Utility
Hi,

Does the server still have the certificates needed to generate the SSL connection?

Has Group Policy changed which has modified the TLS version supported in Windows?

Regards,


RobMobility.
0
Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

 
LVL 38

Assisted Solution

by:Aaron Tomosky
Aaron Tomosky earned 70 total points
Comment Utility
I just did this a few weeks ago and the solution was to put the right type of cert in the personal cert store on the ad controller (I had to add the adcs role as its the same box for me).

This helped me get the cert and cert template right:
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

I know it's for 08 but it worked for me for 12
0
 
LVL 36

Accepted Solution

by:
ArneLovius earned 30 total points
Comment Utility
I would guess that when they "upgraded" to 2012, they didn't enable LDAPS with a relevant certificate. You can check with netstat on the Domain Controller to see if it listening on port 636.
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
You can also try connecting to the DC using an LDAP browser that supports LDAPS, I quite like the Softerra LDAP browser.
0
 
LVL 25

Expert Comment

by:RobMobility
Comment Utility
Hi,

You should be able to use LDP.exe (which I believe is installed by default) to confirm that LDAPS is listening properly on TCP 636.

You might also want to enable firewall logging to see if the incoming packets are being dropped or allowed?

Regards,


RobMobility.
0
 

Author Comment

by:workforceinsight
Comment Utility
Thanks for all of the help!  I'm working through the suggested comments posted.  

Several points:

1. netstat is showing LDAP is listening on port 636;
2. Windows Firewall is (and has been turned off);
3. RobMobility asked, "Does the server still have the certificates needed to generate the SSL connection?" -- with our prior 2008 setup, no certificate was needed. Looks like it may be needed with 2012.

Stay tuned.
0
 
LVL 25

Assisted Solution

by:RobMobility
RobMobility earned 400 total points
Comment Utility
0
 
LVL 25

Expert Comment

by:RobMobility
Comment Utility
Hi,

Unless you're using Dynamic Access Policies or something else that is reading LDAP attributes, you could use Kerberos instead?

Regards,


RobMobility.
0
 

Author Closing Comment

by:workforceinsight
Comment Utility
Followed this article: http://gregtechnobabble.blogspot.co.uk/2012/11/enabling-ldap-ssl-in-windows-2012-part-1.html

Since LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller, I was good to go once I followed the instructions on that URL, above, and rebooted.

Thanks, Experts!!
0
 
LVL 36

Expert Comment

by:ArneLovius
Comment Utility
The ASA should have (and trust) the root certificate that is used on the LDAP connection.

Now I'm in front f a computer instead of just on my iphone...

If the ASA was configured with just the certificate used on the LDAP server, then this certificate may have changed.

I would open a SSH session to the ASA,

enable
term mon
! forwards the console to your SSH session
debug ldap 255
! the highest level of LDAP debug

now try to connect and see if the error is obvious

If it isn't obvious, copy the output to a text file, do the usual checks for information that you might not want published ion here, and attach the text file

when you have completed the test, do

no debug ldap
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Shadow IT is coming out of the shadows as more businesses are choosing cloud-based applications. It is now a multi-cloud world for most organizations. Simultaneously, most businesses have yet to consolidate with one cloud provider or define an offic…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of installing the necessary services and then configuring a Windows Server 2012 system as an iSCSI target. To install the necessary roles, go to Server Manager, and select Add Roles and Featu…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now