We help IT Professionals succeed at work.

LDAPs on Wndows Server

LateNaite
LateNaite asked
on
1,104 Views
Last Modified: 2019-03-12
I was trying to set up LDAPs on Windows Server and followed the steps below:

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

Everything seemed to work fine except the server was already using port 389 and 636 so I had to choose different ports that it chose for LDAP and LDAPs and when I tried to test it using ldaps, I coudn't connect to it and below are some errors:



ld = ldap_sslinit("10.1.1.1", 51879, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.
ld = ldap_sslinit("srv-test002", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to srv-test002.
ld = ldap_sslinit("srv-test002.ctest.corp", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to srv-test002.ctest.corp.
ld = ldap_sslinit("ctestldaps", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ctestldaps.
ld = ldap_open("ctestldaps", 51878);
Error <0x51>: Fail to connect to ctestldaps.
ld = ldap_open("10.1.1.1", 51878);
Established connection to 10.1.1.1.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
currentTime: 8/16/2018 5:42:51 PM Pacific Daylight Time;
dnsHostName: srv-test002.ctest.corp;
domainControllerFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=srv-test002$ctestdaps,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 14074;
isSynchronized: TRUE;
namingContexts (3): CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430}; CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430}; CN=srv-test002,DC=ctest,DC=corp;
schemaNamingContext: CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
serverName: CN=srv-test002$ctestdaps,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
supportedCapabilities (7): 1.2.840.113556.1.4.1851 = ( ACTIVE_DIRECTORY_ADAM ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 ); 1.2.840.113556.1.4.1880 = ( ACTIVE_DIRECTORY_ADAM_DIGEST );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------
0x0 = ldap_unbind(ld);
ld = ldap_sslinit("10.1.1.1", 51879, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.
ld = ldap_sslinit("10.1.1.1", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.


Does anyone know what the issue might be?
Comment
Watch Question

CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
your test uses the 389, 636 port versus the ports n which you setp
LateNaiteCEO and Founder

Author

Commented:
I did test with the 51879 port as well and it wouldn't connect.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
are you testing locally on the server where it is setup?

use the localhost (127.0.0.1) as the IP to which to connect.
Bypassing windows firewall.
LateNaiteCEO and Founder

Author

Commented:
Yes, I tested it locally.  It works fine on port 389 and 636.  thank you!
LateNaiteCEO and Founder

Author

Commented:
Hi Arnold,

I tried this again using the localhost ( I missed that originally) and it seems to connect fine with 389 and port 636 but I get this output from 636 (there are errors are the begging but after that it says that it supports SSL:


ld = ldap_sslinit("localhost", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to localhost.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=testlab,DC=corp;
currentTime: 8/28/2018 9:39:57 AM Pacific Daylight Time;
defaultNamingContext: DC=testlab,DC=corp;
dnsHostName: srv-lab002.testlab.corp;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 4 = ( WIN2008R2 );
dsServiceName: CN=NTDS Settings,CN=srv-lab002,CN=Servers,CN=MN,CN=Sites,CN=Configuration,DC=testlab,DC=corp;
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 4294929;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: testlab.corp:srv-lab002$@testlab.CORP;
namingContexts (5): DC=testlab,DC=corp; CN=Configuration,DC=testlab,DC=corp; CN=Schema,CN=Configuration,DC=testlab,DC=corp; DC=DomainDnsZones,DC=testlab,DC=corp; DC=ForestDnsZones,DC=testlab,DC=corp;
rootDomainNamingContext: DC=testlab,DC=corp;
schemaNamingContext: CN=Schema,CN=Configuration,DC=testlab,DC=corp;
serverName: CN=srv-lab002,CN=Servers,CN=MN,CN=Sites,CN=Configuration,DC=testlab,DC=corp;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=testlab,DC=corp;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------

I tried my test from the Cisco ASA firewall but it still failed although my test is using an IP.  I am trying to see if there firewall can be disabled on the public network (it is disabled on the domain and private network.
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
You need to check whether you allow external queries on port 389, 636
The Domain, private, public relies on the network center and how the connection is defined.

i.e. in network center,
you will have
PC => Connection Name >Internet ..
below it will have Connection Name and the network Type you are IN.
Based on this , the firewall rules will be set.
often the option is either private/home or public. WHen the computer is a member of a domain, and when it detects the DC it will commonly set itself to be in a domain environment...

https://social.technet.microsoft.com/Forums/office/en-US/8d0bdf78-1cfb-440c-926e-8998cdba342c/how-do-you-change-network-location-type-on-server-2012?forum=winserver8gen
LateNaiteCEO and Founder

Author

Commented:
Thank you Arnold for this.

The firewall that I am testing this from (non-Windows device) is on the internal of the network but this will be a public connection since it is not part of the domain?

Here is a toplogy:

Windows AD (internal NIC) <-> inside interface <-> Firewall

thank you!
CERTIFIED EXPERT
Distinguished Expert 2019

Commented:
Ok, I am unclear what you are testing.
1) windows server, has windows firewal. Make sure LDAP/s ports are allowed through the windows built-in firewall. confirm access by LAN IP.
2) on your external firewall, test the the access-rules, port forwarding. Though allowing internet access to these ports on the DC server directly is not advisable. look at using ADFS as the intermediary limiting an attack vector.

Make sure if you want the firewall to talk to the LDAP, make sure to properly set the interface from which the firewall will appear to the LDAP server
Mubarak AhmedSenior System Administrator

Commented:
Make sure that you have valid LDAPs certificate in CA server and root certificate installed in app/target server.
LateNaiteCEO and Founder

Author

Commented:
It appears to be an internal certificate issue.
LateNaiteCEO and Founder

Author

Commented:
It appears to be an internal certificate issue.
CEO and Founder
Commented:
This problem has been solved!
(Unlock this solution with a 7-day Free Trial)
UNLOCK SOLUTION