LDAPs on Wndows Server

LateNaite
LateNaite used Ask the Experts™
on
I was trying to set up LDAPs on Windows Server and followed the steps below:

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

Everything seemed to work fine except the server was already using port 389 and 636 so I had to choose different ports that it chose for LDAP and LDAPs and when I tried to test it using ldaps, I coudn't connect to it and below are some errors:



ld = ldap_sslinit("10.1.1.1", 51879, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.
ld = ldap_sslinit("srv-test002", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to srv-test002.
ld = ldap_sslinit("srv-test002.ctest.corp", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to srv-test002.ctest.corp.
ld = ldap_sslinit("ctestldaps", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ctestldaps.
ld = ldap_open("ctestldaps", 51878);
Error <0x51>: Fail to connect to ctestldaps.
ld = ldap_open("10.1.1.1", 51878);
Established connection to 10.1.1.1.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
currentTime: 8/16/2018 5:42:51 PM Pacific Daylight Time;
dnsHostName: srv-test002.ctest.corp;
domainControllerFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=srv-test002$ctestdaps,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 14074;
isSynchronized: TRUE;
namingContexts (3): CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430}; CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430}; CN=srv-test002,DC=ctest,DC=corp;
schemaNamingContext: CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
serverName: CN=srv-test002$ctestdaps,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
supportedCapabilities (7): 1.2.840.113556.1.4.1851 = ( ACTIVE_DIRECTORY_ADAM ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 ); 1.2.840.113556.1.4.1880 = ( ACTIVE_DIRECTORY_ADAM_DIGEST );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------
0x0 = ldap_unbind(ld);
ld = ldap_sslinit("10.1.1.1", 51879, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.
ld = ldap_sslinit("10.1.1.1", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.


Does anyone know what the issue might be?
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
View Solution Only
arnold
Distinguished Expert 2017

Commented:
your test uses the 389, 636 port versus the ports n which you setp
LateNaiteCEO and Founder

Author

Commented:
I did test with the 51879 port as well and it wouldn't connect.
arnold
Distinguished Expert 2017

Commented:
are you testing locally on the server where it is setup?

use the localhost (127.0.0.1) as the IP to which to connect.
Bypassing windows firewall.
Bootstrap 4: Exploring New Features

Learn how to use and navigate the new features included in Bootstrap 4, the most popular HTML, CSS, and JavaScript framework for developing responsive, mobile-first websites.

Learn More!
LateNaiteCEO and Founder

Author

Commented:
Yes, I tested it locally.  It works fine on port 389 and 636.  thank you!
LateNaiteCEO and Founder

Author

Commented:
Hi Arnold,

I tried this again using the localhost ( I missed that originally) and it seems to connect fine with 389 and port 636 but I get this output from 636 (there are errors are the begging but after that it says that it supports SSL:


ld = ldap_sslinit("localhost", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to localhost.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=testlab,DC=corp;
currentTime: 8/28/2018 9:39:57 AM Pacific Daylight Time;
defaultNamingContext: DC=testlab,DC=corp;
dnsHostName: srv-lab002.testlab.corp;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 4 = ( WIN2008R2 );
dsServiceName: CN=NTDS Settings,CN=srv-lab002,CN=Servers,CN=MN,CN=Sites,CN=Configuration,DC=testlab,DC=corp;
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 4294929;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: testlab.corp:srv-lab002$@testlab.CORP;
namingContexts (5): DC=testlab,DC=corp; CN=Configuration,DC=testlab,DC=corp; CN=Schema,CN=Configuration,DC=testlab,DC=corp; DC=DomainDnsZones,DC=testlab,DC=corp; DC=ForestDnsZones,DC=testlab,DC=corp;
rootDomainNamingContext: DC=testlab,DC=corp;
schemaNamingContext: CN=Schema,CN=Configuration,DC=testlab,DC=corp;
serverName: CN=srv-lab002,CN=Servers,CN=MN,CN=Sites,CN=Configuration,DC=testlab,DC=corp;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=testlab,DC=corp;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------

I tried my test from the Cisco ASA firewall but it still failed although my test is using an IP.  I am trying to see if there firewall can be disabled on the public network (it is disabled on the domain and private network.
arnold
Distinguished Expert 2017

Commented:
You need to check whether you allow external queries on port 389, 636
The Domain, private, public relies on the network center and how the connection is defined.

i.e. in network center,
you will have
PC => Connection Name >Internet ..
below it will have Connection Name and the network Type you are IN.
Based on this , the firewall rules will be set.
often the option is either private/home or public. WHen the computer is a member of a domain, and when it detects the DC it will commonly set itself to be in a domain environment...

https://social.technet.microsoft.com/Forums/office/en-US/8d0bdf78-1cfb-440c-926e-8998cdba342c/how-do-you-change-network-location-type-on-server-2012?forum=winserver8gen
LateNaiteCEO and Founder

Author

Commented:
Thank you Arnold for this.

The firewall that I am testing this from (non-Windows device) is on the internal of the network but this will be a public connection since it is not part of the domain?

Here is a toplogy:

Windows AD (internal NIC) <-> inside interface <-> Firewall

thank you!
arnold
Distinguished Expert 2017

Commented:
Ok, I am unclear what you are testing.
1) windows server, has windows firewal. Make sure LDAP/s ports are allowed through the windows built-in firewall. confirm access by LAN IP.
2) on your external firewall, test the the access-rules, port forwarding. Though allowing internet access to these ports on the DC server directly is not advisable. look at using ADFS as the intermediary limiting an attack vector.

Make sure if you want the firewall to talk to the LDAP, make sure to properly set the interface from which the firewall will appear to the LDAP server
Mubarak AhmedSenior System Administrator

Commented:
Make sure that you have valid LDAPs certificate in CA server and root certificate installed in app/target server.
LateNaiteCEO and Founder

Author

Commented:
It appears to be an internal certificate issue.
LateNaiteCEO and Founder

Author

Commented:
It appears to be an internal certificate issue.
CEO and Founder
Commented:
This issue might be related to the server itself. We're going to test with a different member server.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial