How can I get LDAPS to connect on anything other than the server the SSL certificates live on?
Posted on 2014-09-17
I've started the long and painful process of turning up a public facing domain controller for DR and third party authentication use. We have and Amazon AWS EC2 instance running Server 2008 R2 with a VPN tunnel back to our primary datacenter. The AWS firewall is set to allow any and all inbound traffic from our primary datacenter IP, as well as a few ports on specific IP ranges for our vendors that need to pull down ADUC info.
I set up a domain with Network Solutions, and purchased a UCC SSL certificate from GoDaddy. The reason we need a UCC certificate is due to our corporate domain being a *.local domain. The primary for the SSL certificate is the network solutions domain, with our alternatives being the DN of the AWS DC and the DN of our .local domain.
After correctly formatting all the stuff with NS and GD (which took literally all day), I am now able to finally connect to LDAPS from the AWS server to the AWS sever. This doesn't prove much since it's only talking to itself. I can't connect to LDAP on the AWS server from any of our data centers, but for some reason the third party vendors can. When any of the vendors or myself attempt to connect to LDAPS over port 636, it returns this message from ldp.exe:
ld = ldap_sslinit("dvdccloud", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to dvdccloud.
I have searched around for days trying to find out what the issue might be. I suspect it's either something network related with improper routing, or there might actually be an issue with the fact the alternative record on file with GD is a *.local domain. I am aware that *.local domains will no longer be supported by SSL come November 1st, 2015, but getting this working would give me a year to plan out a total domain reconfiguration.
Can anyone lend a hand and help me figure out what's wrong here? Thanks.