Solved

LDAPS and Server 2008 R2

Posted on 2013-10-29
4
386 Views
Last Modified: 2013-11-04
Read a lot about this on this site and others but still have a few questions if someone can help.

My client has a cloud antispam/antivirus service that performs directory harvesting via LDAP into their AD.  Need to secure this with LDAPS.  They do support it.

1.  Want to use a GoDaddy SSL.
     a.  I assume standard SSL will work?
     b.  Already have a UCC for Exchange 2010
2.  Do I create the request via IIS like usual or via the AD certificate services?
3.  Where does the "Server Authentication object identifier" get inserted into the SSL?
      a.  all the articles stress that the cert has to perform this function compared to the "identity of a remote computer" role in the Exchange SSL.

We tried to self sign it and using the recommendation of not putting the CA on the domain controller itself, we could never get the "security" correct to choose the template we created and were trying to issue per this article - http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

And when we use a GoDaddy SSL, do we still need to do the request.inf - http://support.microsoft.com/kb/321051  - why is this different to a normal SSL request?


 I guess we need a little clearer step by step.  Any help is appreciated...
0
Comment
Question by:RFloyd30
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39610612
You DO NOT have to buy a cert to use, it add's nothing to security of the process technically, since the ldap service will not check for a revocation certificate, which is all adding a paid for cert would be able to possibly add. It's SSL encryption but not the entire protocol, like where it checks for revocation before establishing connections.
As long as you're importing the self-signed cert, it should work, it's pretty easy.
http://support.microsoft.com/kb/321051 (yes you need the INF)
http://support.microsoft.com/kb/938703
-rich
0
 

Accepted Solution

by:
RFloyd30 earned 0 total points
ID: 39610624
Thank you.  
Although the article does not specify, a couple more questions?

1. Do I need to have AD Cert services installed on the DC that will trust the cert?
2. I assume I can use IIS on one of my other servers to create the self signed cert?
3. In the KB, it shows win2k8 improvements, do I need to load cert into the NTDS Service's Personal store or just machine's ps?

I really appreciate the help!

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39611191
1= No, the cert stores are on every machine by default.
2= IIS can I believe, I use openssl however:  http://www.openssl.org/related/binaries.html + http://social.technet.microsoft.com/Forums/windowsserver/en-US/126c3644-3632-407b-a850-72be82766849/ldap-over-ssl-windows-server-2000-vs-windows-server-2008
You do have to manually distribute the cert when you don't have a CA though.
3= Personal store only for connecting machines.
-rich
0
 

Author Closing Comment

by:RFloyd30
ID: 39621057
Thank you again.   This gets me pointed into the correct direction and understanding.  Openssl  seems a bit complicated to me versus the IIS method.  Used to doing IIS in the early days with OWA on Exchange 2003 with self signed certs.  Will give them a try.

Thanks again.
0

Featured Post

Connect further...control easier

With the ATEN CE624, you can now enjoy a high-quality visual experience powered by HDBaseT technology and the convenience of a single Cat6 cable to transmit uncompressed video with zero latency and multi-streaming for dual-view applications where remote access is required.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When you try to extract and to view the contents of a Microsoft Update Standalone Package (MSU) for Windows Vista, you cannot extract the files from the MSU. Here we are going to explain how to extract those hotfix details without using any third pa…
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

808 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question