Can LDAP and LDAPS function together on a 2012 R2 server?
We have a Cloud based email archiving solution that requires an LDAP connection to authenticate our AD users. In addition to LDAP, their connector supports LDAPS or STARTTLS. Even though I can restrict LDAP traffic from the Internet to only their IPs, I would still prefer to use one of the encrypted methods.
I have read a few articles on LDAPS, but I have not found one that claims for certain that you can have both LDAP and LDAPS in use on the same server. I have a few LAN appliances that use LDAP only, not LDAPS, so I cannot use LDAPS if it disables LDAP. Does it? And, a related question I think... even if both can be enabled on a server, will our two DCs default to LDAPS for their own exchanging of info if one of them has a CA installed? Will I have to have the same certificate installed on both DCs? I'll only be NATting LDAPS traffic to one of them.
I have read a few articles on LDAPS, but I have not found one that claims for certain that you can have both LDAP and LDAPS in use on the same server. I have a few LAN appliances that use LDAP only, not LDAPS, so I cannot use LDAPS if it disables LDAP. Does it? And, a related question I think... even if both can be enabled on a server, will our two DCs default to LDAPS for their own exchanging of info if one of them has a CA installed? Will I have to have the same certificate installed on both DCs? I'll only be NATting LDAPS traffic to one of them.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
MidnightOne
Yes, and they frequently do. The hangup is the certificate as @PeterHutchenson mentioned above. Depending on the service provider, you may need a public certificate rather than from your own PKI as some providers refuse to accept your "untrusted" PKI at all.
ASKER
Thanks to you both!
Follow up question...could I install a certificate on only one of our DCs since the external service will be redirected to only one? If yes, how is the certificate created? I saw this article referenced in several posts (TechNet article) - assuming it applies to my intended use, which steps correspond to what I need to do?
Follow up question...could I install a certificate on only one of our DCs since the external service will be redirected to only one? If yes, how is the certificate created? I saw this article referenced in several posts (TechNet article) - assuming it applies to my intended use, which steps correspond to what I need to do?
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
@MidnightOne - thanks for the reply and advice. I will need to raise our Domain and Forest to 2008 to deploy an RODC (I have been intending to raise it anyway, so another reason to get on with it). Will the public and private key reside on the DC? If not, where is the public key installed?
The DC will have its private key - it's how it can decrypt traffic it receives by its public key.
ASKER
So, after spending an hour or two trying several things I still do not have LDAPS working. The vendor referred me to Microsoft support for assistance with the certificate installation. I noticed in the LDAP settings within their solution's config (see attached screen shot), that they accommodate a self-signed certificate. So, I created and installed a certificate on the DC and placed it in the Computer/Personal folder and in the Computer/Trusted Root location, the exported and imported it into the Services(AD Domain Services)/NTDS\Personal too. I used LPD.exe to test, but it would not connect via 636 and SSL.
FYI - I used the certreq steps shown in this article (link) to create and install the certificate.
FYI - I used the certreq steps shown in this article (link) to create and install the certificate.
ASKER
Forgot to mention...in the vendor's LDAP config section they also have a place to define the LDAP host. It has two fields, one for the host name (or IP), and the port number to use.
ASKER
This article (link) shows the process for configuring LDAPS with a self-signed cert by enabling the CA role on the 2012 (DC) server. Can it be done without doing so?
ASKER
I ended up configuring AD LDS on a member server (2012 R2). Using IIS on that server I created a self-signed certificate. I have successfully connected to it from my PC once I installed the certificate on it too. The external vendor's solution though still has not successfully connected. I am still working with them to get that part working too.
Thanks for all the assistance!
Thanks for all the assistance!
No worries. I've found a fair number of vendors have no idea how to deal with a self-signed certificate; they simply have to find a way to add that to a trusted root or whatever the equivalent exists on their systems.
be sure to tip your waitresses. :)
be sure to tip your waitresses. :)