Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

LDAPS and Server 2008 R2

Posted on 2013-10-29
4
Medium Priority
?
394 Views
Last Modified: 2013-11-04
Read a lot about this on this site and others but still have a few questions if someone can help.

My client has a cloud antispam/antivirus service that performs directory harvesting via LDAP into their AD.  Need to secure this with LDAPS.  They do support it.

1.  Want to use a GoDaddy SSL.
     a.  I assume standard SSL will work?
     b.  Already have a UCC for Exchange 2010
2.  Do I create the request via IIS like usual or via the AD certificate services?
3.  Where does the "Server Authentication object identifier" get inserted into the SSL?
      a.  all the articles stress that the cert has to perform this function compared to the "identity of a remote computer" role in the Exchange SSL.

We tried to self sign it and using the recommendation of not putting the CA on the domain controller itself, we could never get the "security" correct to choose the template we created and were trying to issue per this article - http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

And when we use a GoDaddy SSL, do we still need to do the request.inf - http://support.microsoft.com/kb/321051  - why is this different to a normal SSL request?


 I guess we need a little clearer step by step.  Any help is appreciated...
0
Comment
Question by:RFloyd30
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39610612
You DO NOT have to buy a cert to use, it add's nothing to security of the process technically, since the ldap service will not check for a revocation certificate, which is all adding a paid for cert would be able to possibly add. It's SSL encryption but not the entire protocol, like where it checks for revocation before establishing connections.
As long as you're importing the self-signed cert, it should work, it's pretty easy.
http://support.microsoft.com/kb/321051 (yes you need the INF)
http://support.microsoft.com/kb/938703
-rich
0
 

Accepted Solution

by:
RFloyd30 earned 0 total points
ID: 39610624
Thank you.  
Although the article does not specify, a couple more questions?

1. Do I need to have AD Cert services installed on the DC that will trust the cert?
2. I assume I can use IIS on one of my other servers to create the self signed cert?
3. In the KB, it shows win2k8 improvements, do I need to load cert into the NTDS Service's Personal store or just machine's ps?

I really appreciate the help!

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39611191
1= No, the cert stores are on every machine by default.
2= IIS can I believe, I use openssl however:  http://www.openssl.org/related/binaries.html + http://social.technet.microsoft.com/Forums/windowsserver/en-US/126c3644-3632-407b-a850-72be82766849/ldap-over-ssl-windows-server-2000-vs-windows-server-2008
You do have to manually distribute the cert when you don't have a CA though.
3= Personal store only for connecting machines.
-rich
0
 

Author Closing Comment

by:RFloyd30
ID: 39621057
Thank you again.   This gets me pointed into the correct direction and understanding.  Openssl  seems a bit complicated to me versus the IIS method.  Used to doing IIS in the early days with OWA on Exchange 2003 with self signed certs.  Will give them a try.

Thanks again.
0

Featured Post

[Webinar] Cloud Security

In this webinar you will learn:

-Why existing firewall and DMZ architectures are not suited for securing cloud applications
-How to make your enterprise “Cloud Ready”, and fix your aging DMZ architecture
-How to transform your enterprise and become a Cloud Enabler

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article helps those who get the 0xc004d307 error when trying to rearm (reset the license) Office 2013 in a Virtual Desktop Infrastructure (VDI) and/or those trying to prep the master image for Microsoft Key Management (KMS) activation. (i.e.- C…
The article covers five tools all IT professionals should know about, as they up productivity by a great deal!
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

886 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question