Solved

LDAPS and Server 2008 R2

Posted on 2013-10-29
4
390 Views
Last Modified: 2013-11-04
Read a lot about this on this site and others but still have a few questions if someone can help.

My client has a cloud antispam/antivirus service that performs directory harvesting via LDAP into their AD.  Need to secure this with LDAPS.  They do support it.

1.  Want to use a GoDaddy SSL.
     a.  I assume standard SSL will work?
     b.  Already have a UCC for Exchange 2010
2.  Do I create the request via IIS like usual or via the AD certificate services?
3.  Where does the "Server Authentication object identifier" get inserted into the SSL?
      a.  all the articles stress that the cert has to perform this function compared to the "identity of a remote computer" role in the Exchange SSL.

We tried to self sign it and using the recommendation of not putting the CA on the domain controller itself, we could never get the "security" correct to choose the template we created and were trying to issue per this article - http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

And when we use a GoDaddy SSL, do we still need to do the request.inf - http://support.microsoft.com/kb/321051  - why is this different to a normal SSL request?


 I guess we need a little clearer step by step.  Any help is appreciated...
0
Comment
Question by:RFloyd30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39610612
You DO NOT have to buy a cert to use, it add's nothing to security of the process technically, since the ldap service will not check for a revocation certificate, which is all adding a paid for cert would be able to possibly add. It's SSL encryption but not the entire protocol, like where it checks for revocation before establishing connections.
As long as you're importing the self-signed cert, it should work, it's pretty easy.
http://support.microsoft.com/kb/321051 (yes you need the INF)
http://support.microsoft.com/kb/938703
-rich
0
 

Accepted Solution

by:
RFloyd30 earned 0 total points
ID: 39610624
Thank you.  
Although the article does not specify, a couple more questions?

1. Do I need to have AD Cert services installed on the DC that will trust the cert?
2. I assume I can use IIS on one of my other servers to create the self signed cert?
3. In the KB, it shows win2k8 improvements, do I need to load cert into the NTDS Service's Personal store or just machine's ps?

I really appreciate the help!

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39611191
1= No, the cert stores are on every machine by default.
2= IIS can I believe, I use openssl however:  http://www.openssl.org/related/binaries.html + http://social.technet.microsoft.com/Forums/windowsserver/en-US/126c3644-3632-407b-a850-72be82766849/ldap-over-ssl-windows-server-2000-vs-windows-server-2008
You do have to manually distribute the cert when you don't have a CA though.
3= Personal store only for connecting machines.
-rich
0
 

Author Closing Comment

by:RFloyd30
ID: 39621057
Thank you again.   This gets me pointed into the correct direction and understanding.  Openssl  seems a bit complicated to me versus the IIS method.  Used to doing IIS in the early days with OWA on Exchange 2003 with self signed certs.  Will give them a try.

Thanks again.
0

Featured Post

Instantly Create Instructional Tutorials

Contextual Guidance at the moment of need helps your employees adopt to new software or processes instantly. Boost knowledge retention and employee engagement step-by-step with one easy solution.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

When asking a question in a forum or creating documentation, screenshots are vital tools that can convey a lot more information and save you and your reader a lot of time
Windows 10 Creator Update has just been released and I have it working very well on my laptop. Read below for issues, fixes and ideas.
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question