We help IT Professionals succeed at work.

Secure LDAP for external access for a third party vendor

1,205 Views
Last Modified: 2014-09-04
WE have a SBS 2011 server with a current SSL certificate. We have a third party vendor that needs to be able extract AD info via LDAP. We want to use LDAPS to help secure it. We have blocked port 636 except for the vendors IP range, and we know its talking as we can telnet to this port. When trying to connect via the FQDN of the current SSL certificate issued by a third party CA, it doesn't connect. I have tried adding a new FQDN ie trend.XXX.com.au pointing to the external IP address and created a SSL certificate from the local CA, and even a third party CA, but it still doesn't connect. Its like its not liking the certificate name it finds. When using LDP.exe as a test to connect to trend.xxx.com.au, the system event talks about schannel and mentions: "The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate" When i look at the friendly view, I can see mention of the internal name of the server.

Thoughts?
Comment
Watch Question

Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
You need to have the local CA's root certificate installed on the computer that will be connecting to your LDAP server.

Here are is a link (assuming you are using a MS cert server):

http://technet.microsoft.com/en-us/library/cc995096.aspx

Check out the 3rd section on how to install a root certificate.

Dan

Author

Commented:
What if we cant install the CA root certificate on the 3rd party wanting to access AD?
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
I then suggest purchasing a 3rd party SSL certificate from a commercial CA...  Symantec, Thawte, Comodo, etc.

Here's a comparision site:  http://www.sslshopper.com/certificate-authority-reviews.html
Dan McFaddenTechnical Lead - Active Directory
CERTIFIED EXPERT

Commented:
You could test this out using an SSL Cert from http://www.startssl.com/.  Its free and a recognized CA.  I've used them once before and remembered after looking at the comparison chart above.

Dan

Author

Commented:
Again, in the original post, I mentioned that I had tried a 3rd party certificate.... Tried a Geotrust but to no avail...
Technical Lead - Active Directory
CERTIFIED EXPERT
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION

Gain unlimited access to on-demand training courses with an Experts Exchange subscription.

Get Access
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Empower Your Career
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE

Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions