LDAPs on Wndows Server

I was trying to set up LDAPs on Windows Server and followed the steps below:

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

Everything seemed to work fine except the server was already using port 389 and 636 so I had to choose different ports that it chose for LDAP and LDAPs and when I tried to test it using ldaps, I coudn't connect to it and below are some errors:



ld = ldap_sslinit("10.1.1.1", 51879, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.
ld = ldap_sslinit("srv-test002", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to srv-test002.
ld = ldap_sslinit("srv-test002.ctest.corp", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to srv-test002.ctest.corp.
ld = ldap_sslinit("ctestldaps", 51879, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ctestldaps.
ld = ldap_open("ctestldaps", 51878);
Error <0x51>: Fail to connect to ctestldaps.
ld = ldap_open("10.1.1.1", 51878);
Established connection to 10.1.1.1.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
currentTime: 8/16/2018 5:42:51 PM Pacific Daylight Time;
dnsHostName: srv-test002.ctest.corp;
domainControllerFunctionality: 6 = ( WIN2012R2 );
dsServiceName: CN=NTDS Settings,CN=srv-test002$ctestdaps,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 14074;
isSynchronized: TRUE;
namingContexts (3): CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430}; CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430}; CN=srv-test002,DC=ctest,DC=corp;
schemaNamingContext: CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
serverName: CN=srv-test002$ctestdaps,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,CN={0B174EFA-94DB-473D-A005-BD60D0433430};
supportedCapabilities (7): 1.2.840.113556.1.4.1851 = ( ACTIVE_DIRECTORY_ADAM ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 ); 1.2.840.113556.1.4.1880 = ( ACTIVE_DIRECTORY_ADAM_DIGEST );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------
0x0 = ldap_unbind(ld);
ld = ldap_sslinit("10.1.1.1", 51879, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.
ld = ldap_sslinit("10.1.1.1", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.1.1.1.


Does anyone know what the issue might be?
LateNaiteCEO and FounderAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
your test uses the 389, 636 port versus the ports n which you setp
LateNaiteCEO and FounderAuthor Commented:
I did test with the 51879 port as well and it wouldn't connect.
arnoldCommented:
are you testing locally on the server where it is setup?

use the localhost (127.0.0.1) as the IP to which to connect.
Bypassing windows firewall.
CompTIA Security+

Learn the essential functions of CompTIA Security+, which establishes the core knowledge required of any cybersecurity role and leads professionals into intermediate-level cybersecurity jobs.

Learn More!
LateNaiteCEO and FounderAuthor Commented:
Yes, I tested it locally.  It works fine on port 389 and 636.  thank you!
LateNaiteCEO and FounderAuthor Commented:
Hi Arnold,

I tried this again using the localhost ( I missed that originally) and it seems to connect fine with 389 and port 636 but I get this output from 636 (there are errors are the begging but after that it says that it supports SSL:


ld = ldap_sslinit("localhost", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to localhost.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=testlab,DC=corp;
currentTime: 8/28/2018 9:39:57 AM Pacific Daylight Time;
defaultNamingContext: DC=testlab,DC=corp;
dnsHostName: srv-lab002.testlab.corp;
domainControllerFunctionality: 6 = ( WIN2012R2 );
domainFunctionality: 4 = ( WIN2008R2 );
dsServiceName: CN=NTDS Settings,CN=srv-lab002,CN=Servers,CN=MN,CN=Sites,CN=Configuration,DC=testlab,DC=corp;
forestFunctionality: 2 = ( WIN2003 );
highestCommittedUSN: 4294929;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: testlab.corp:srv-lab002$@testlab.CORP;
namingContexts (5): DC=testlab,DC=corp; CN=Configuration,DC=testlab,DC=corp; CN=Schema,CN=Configuration,DC=testlab,DC=corp; DC=DomainDnsZones,DC=testlab,DC=corp; DC=ForestDnsZones,DC=testlab,DC=corp;
rootDomainNamingContext: DC=testlab,DC=corp;
schemaNamingContext: CN=Schema,CN=Configuration,DC=testlab,DC=corp;
serverName: CN=srv-lab002,CN=Servers,CN=MN,CN=Sites,CN=Configuration,DC=testlab,DC=corp;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=testlab,DC=corp;
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 );
supportedControl (37): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256;
supportedLDAPPolicies (19): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

-----------

I tried my test from the Cisco ASA firewall but it still failed although my test is using an IP.  I am trying to see if there firewall can be disabled on the public network (it is disabled on the domain and private network.
arnoldCommented:
You need to check whether you allow external queries on port 389, 636
The Domain, private, public relies on the network center and how the connection is defined.

i.e. in network center,
you will have
PC => Connection Name >Internet ..
below it will have Connection Name and the network Type you are IN.
Based on this , the firewall rules will be set.
often the option is either private/home or public. WHen the computer is a member of a domain, and when it detects the DC it will commonly set itself to be in a domain environment...

https://social.technet.microsoft.com/Forums/office/en-US/8d0bdf78-1cfb-440c-926e-8998cdba342c/how-do-you-change-network-location-type-on-server-2012?forum=winserver8gen
LateNaiteCEO and FounderAuthor Commented:
Thank you Arnold for this.

The firewall that I am testing this from (non-Windows device) is on the internal of the network but this will be a public connection since it is not part of the domain?

Here is a toplogy:

Windows AD (internal NIC) <-> inside interface <-> Firewall

thank you!
arnoldCommented:
Ok, I am unclear what you are testing.
1) windows server, has windows firewal. Make sure LDAP/s ports are allowed through the windows built-in firewall. confirm access by LAN IP.
2) on your external firewall, test the the access-rules, port forwarding. Though allowing internet access to these ports on the DC server directly is not advisable. look at using ADFS as the intermediary limiting an attack vector.

Make sure if you want the firewall to talk to the LDAP, make sure to properly set the interface from which the firewall will appear to the LDAP server
Mubarak AhmedSenior System AdministratorCommented:
Make sure that you have valid LDAPs certificate in CA server and root certificate installed in app/target server.
LateNaiteCEO and FounderAuthor Commented:
It appears to be an internal certificate issue.
LateNaiteCEO and FounderAuthor Commented:
It appears to be an internal certificate issue.
LateNaiteCEO and FounderAuthor Commented:
This issue might be related to the server itself. We're going to test with a different member server.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
LDAPS

From novice to tech pro — start learning today.