Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

LDAPS and Server 2008 R2

Posted on 2013-10-29
4
Medium Priority
?
391 Views
Last Modified: 2013-11-04
Read a lot about this on this site and others but still have a few questions if someone can help.

My client has a cloud antispam/antivirus service that performs directory harvesting via LDAP into their AD.  Need to secure this with LDAPS.  They do support it.

1.  Want to use a GoDaddy SSL.
     a.  I assume standard SSL will work?
     b.  Already have a UCC for Exchange 2010
2.  Do I create the request via IIS like usual or via the AD certificate services?
3.  Where does the "Server Authentication object identifier" get inserted into the SSL?
      a.  all the articles stress that the cert has to perform this function compared to the "identity of a remote computer" role in the Exchange SSL.

We tried to self sign it and using the recommendation of not putting the CA on the domain controller itself, we could never get the "security" correct to choose the template we created and were trying to issue per this article - http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

And when we use a GoDaddy SSL, do we still need to do the request.inf - http://support.microsoft.com/kb/321051  - why is this different to a normal SSL request?


 I guess we need a little clearer step by step.  Any help is appreciated...
0
Comment
Question by:RFloyd30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39610612
You DO NOT have to buy a cert to use, it add's nothing to security of the process technically, since the ldap service will not check for a revocation certificate, which is all adding a paid for cert would be able to possibly add. It's SSL encryption but not the entire protocol, like where it checks for revocation before establishing connections.
As long as you're importing the self-signed cert, it should work, it's pretty easy.
http://support.microsoft.com/kb/321051 (yes you need the INF)
http://support.microsoft.com/kb/938703
-rich
0
 

Accepted Solution

by:
RFloyd30 earned 0 total points
ID: 39610624
Thank you.  
Although the article does not specify, a couple more questions?

1. Do I need to have AD Cert services installed on the DC that will trust the cert?
2. I assume I can use IIS on one of my other servers to create the self signed cert?
3. In the KB, it shows win2k8 improvements, do I need to load cert into the NTDS Service's Personal store or just machine's ps?

I really appreciate the help!

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39611191
1= No, the cert stores are on every machine by default.
2= IIS can I believe, I use openssl however:  http://www.openssl.org/related/binaries.html + http://social.technet.microsoft.com/Forums/windowsserver/en-US/126c3644-3632-407b-a850-72be82766849/ldap-over-ssl-windows-server-2000-vs-windows-server-2008
You do have to manually distribute the cert when you don't have a CA though.
3= Personal store only for connecting machines.
-rich
0
 

Author Closing Comment

by:RFloyd30
ID: 39621057
Thank you again.   This gets me pointed into the correct direction and understanding.  Openssl  seems a bit complicated to me versus the IIS method.  Used to doing IIS in the early days with OWA on Exchange 2003 with self signed certs.  Will give them a try.

Thanks again.
0

Featured Post

Concerto's Cloud Advisory Services

Want to avoid the missteps to gaining all the benefits of the cloud? Learn more about the different assessment options from our Cloud Advisory team.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
By default Outlook 2016 displays only one time zone in the Calendar. The following article explains how to display two time zones in one calendar view.
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

722 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question