[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
?
Solved

Secure LDAP for external access for a third party vendor

Posted on 2014-08-19
6
Medium Priority
?
929 Views
Last Modified: 2014-09-04
WE have a SBS 2011 server with a current SSL certificate. We have a third party vendor that needs to be able extract AD info via LDAP. We want to use LDAPS to help secure it. We have blocked port 636 except for the vendors IP range, and we know its talking as we can telnet to this port. When trying to connect via the FQDN of the current SSL certificate issued by a third party CA, it doesn't connect. I have tried adding a new FQDN ie trend.XXX.com.au pointing to the external IP address and created a SSL certificate from the local CA, and even a third party CA, but it still doesn't connect. Its like its not liking the certificate name it finds. When using LDP.exe as a test to connect to trend.xxx.com.au, the system event talks about schannel and mentions: "The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate" When i look at the friendly view, I can see mention of the internal name of the server.

Thoughts?
0
Comment
Question by:greentriangle
  • 4
  • 2
6 Comments
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40272149
You need to have the local CA's root certificate installed on the computer that will be connecting to your LDAP server.

Here are is a link (assuming you are using a MS cert server):

http://technet.microsoft.com/en-us/library/cc995096.aspx

Check out the 3rd section on how to install a root certificate.

Dan
0
 

Author Comment

by:greentriangle
ID: 40272372
What if we cant install the CA root certificate on the 3rd party wanting to access AD?
0
 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40272400
I then suggest purchasing a 3rd party SSL certificate from a commercial CA...  Symantec, Thawte, Comodo, etc.

Here's a comparision site:  http://www.sslshopper.com/certificate-authority-reviews.html
0
VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

 
LVL 29

Expert Comment

by:Dan McFadden
ID: 40272432
You could test this out using an SSL Cert from http://www.startssl.com/.  Its free and a recognized CA.  I've used them once before and remembered after looking at the comparison chart above.

Dan
0
 

Author Comment

by:greentriangle
ID: 40272458
Again, in the original post, I mentioned that I had tried a 3rd party certificate.... Tried a Geotrust but to no avail...
0
 
LVL 29

Accepted Solution

by:
Dan McFadden earned 2000 total points
ID: 40273226
Have you followed this process from MS?:

http://support.microsoft.com/kb/321051

Here is another process for troubleshooting the issues:

http://support.microsoft.com/kb/938703

Also, which device is reporting the SChannel error, your server or the remote device?

This issue is similar to configuring SSL for connecting to SQL Server, Lync Server or a web server.  The error you're receiving is similar to going to a web site using an SSL Cert issues by an entity that your browser is unaware of.  Your browser show an error message like:

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  


I am also going to re-state that the CA Certificate Chain (Root CA Cert) has to be trusted by all parties in order to create a valid SSL connection.  If not, the connection cannot work correctly.

Dan
0

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

How to deal with a specific error when using the Enable-RemoteMailbox cmdlet to create a mailbox in the cloud-based service, for an existing user in an on-premises Active Directory.
High user turnover can cause old/redundant user data to consume valuable space. UserResourceCleanup was developed to address this by automatically deleting user folders when the user account is deleted.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…
Suggested Courses

829 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question