Solved

LDAPS and Server 2008 R2

Posted on 2013-10-29
4
388 Views
Last Modified: 2013-11-04
Read a lot about this on this site and others but still have a few questions if someone can help.

My client has a cloud antispam/antivirus service that performs directory harvesting via LDAP into their AD.  Need to secure this with LDAPS.  They do support it.

1.  Want to use a GoDaddy SSL.
     a.  I assume standard SSL will work?
     b.  Already have a UCC for Exchange 2010
2.  Do I create the request via IIS like usual or via the AD certificate services?
3.  Where does the "Server Authentication object identifier" get inserted into the SSL?
      a.  all the articles stress that the cert has to perform this function compared to the "identity of a remote computer" role in the Exchange SSL.

We tried to self sign it and using the recommendation of not putting the CA on the domain controller itself, we could never get the "security" correct to choose the template we created and were trying to issue per this article - http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

And when we use a GoDaddy SSL, do we still need to do the request.inf - http://support.microsoft.com/kb/321051  - why is this different to a normal SSL request?


 I guess we need a little clearer step by step.  Any help is appreciated...
0
Comment
Question by:RFloyd30
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
4 Comments
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39610612
You DO NOT have to buy a cert to use, it add's nothing to security of the process technically, since the ldap service will not check for a revocation certificate, which is all adding a paid for cert would be able to possibly add. It's SSL encryption but not the entire protocol, like where it checks for revocation before establishing connections.
As long as you're importing the self-signed cert, it should work, it's pretty easy.
http://support.microsoft.com/kb/321051 (yes you need the INF)
http://support.microsoft.com/kb/938703
-rich
0
 

Accepted Solution

by:
RFloyd30 earned 0 total points
ID: 39610624
Thank you.  
Although the article does not specify, a couple more questions?

1. Do I need to have AD Cert services installed on the DC that will trust the cert?
2. I assume I can use IIS on one of my other servers to create the self signed cert?
3. In the KB, it shows win2k8 improvements, do I need to load cert into the NTDS Service's Personal store or just machine's ps?

I really appreciate the help!

Thanks
0
 
LVL 38

Expert Comment

by:Rich Rumble
ID: 39611191
1= No, the cert stores are on every machine by default.
2= IIS can I believe, I use openssl however:  http://www.openssl.org/related/binaries.html + http://social.technet.microsoft.com/Forums/windowsserver/en-US/126c3644-3632-407b-a850-72be82766849/ldap-over-ssl-windows-server-2000-vs-windows-server-2008
You do have to manually distribute the cert when you don't have a CA though.
3= Personal store only for connecting machines.
-rich
0
 

Author Closing Comment

by:RFloyd30
ID: 39621057
Thank you again.   This gets me pointed into the correct direction and understanding.  Openssl  seems a bit complicated to me versus the IIS method.  Used to doing IIS in the early days with OWA on Exchange 2003 with self signed certs.  Will give them a try.

Thanks again.
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Learn how to PXE Boot both BIOS & UEFI machines with DHCP Policies and Custom Vendor Classes
No single Antivirus application (despite claims by manufacturers) will catch or protect you from all Virus / Malware or Spyware threats. That doesn't stop you from further protecting yourself however - and this article is to show you how.
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question