Secure LDAP for external access for a third party vendor

greentriangle
greentriangle used Ask the Experts™
on
WE have a SBS 2011 server with a current SSL certificate. We have a third party vendor that needs to be able extract AD info via LDAP. We want to use LDAPS to help secure it. We have blocked port 636 except for the vendors IP range, and we know its talking as we can telnet to this port. When trying to connect via the FQDN of the current SSL certificate issued by a third party CA, it doesn't connect. I have tried adding a new FQDN ie trend.XXX.com.au pointing to the external IP address and created a SSL certificate from the local CA, and even a third party CA, but it still doesn't connect. Its like its not liking the certificate name it finds. When using LDP.exe as a test to connect to trend.xxx.com.au, the system event talks about schannel and mentions: "The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate" When i look at the friendly view, I can see mention of the internal name of the server.

Thoughts?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Dan McFaddenSystems Engineer

Commented:
You need to have the local CA's root certificate installed on the computer that will be connecting to your LDAP server.

Here are is a link (assuming you are using a MS cert server):

http://technet.microsoft.com/en-us/library/cc995096.aspx

Check out the 3rd section on how to install a root certificate.

Dan

Author

Commented:
What if we cant install the CA root certificate on the 3rd party wanting to access AD?
Dan McFaddenSystems Engineer

Commented:
I then suggest purchasing a 3rd party SSL certificate from a commercial CA...  Symantec, Thawte, Comodo, etc.

Here's a comparision site:  http://www.sslshopper.com/certificate-authority-reviews.html
Should you be charging more for IT Services?

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

Dan McFaddenSystems Engineer

Commented:
You could test this out using an SSL Cert from http://www.startssl.com/.  Its free and a recognized CA.  I've used them once before and remembered after looking at the comparison chart above.

Dan

Author

Commented:
Again, in the original post, I mentioned that I had tried a 3rd party certificate.... Tried a Geotrust but to no avail...
Systems Engineer
Commented:
Have you followed this process from MS?:

http://support.microsoft.com/kb/321051

Here is another process for troubleshooting the issues:

http://support.microsoft.com/kb/938703

Also, which device is reporting the SChannel error, your server or the remote device?

This issue is similar to configuring SSL for connecting to SQL Server, Lync Server or a web server.  The error you're receiving is similar to going to a web site using an SSL Cert issues by an entity that your browser is unaware of.  Your browser show an error message like:

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  


I am also going to re-state that the CA Certificate Chain (Root CA Cert) has to be trusted by all parties in order to create a valid SSL connection.  If not, the connection cannot work correctly.

Dan

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial