Announcement

Collapse
No announcement yet.

configure LDAP to use SSL

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • configure LDAP to use SSL

    Hello all,

    I've been looking to implement LDAP to use SSL for domain controllers only right now. So it seems the way to do it is an Enterprise root CA setup in my server 2003 AD forest.

    I've been searching online for a few articles and have a few questions.

    1. Majority of the articles suggest using "Enterprise edition" of windows server 2003, yet Standard can offer certificate services as well? I'm not sure what the difference is.

    2. Does the enterprise root CA has to be on a domain controller? Can i install it on any domain controller or will be there issues? (root forest dc vs child domain dc)

    3. Assuming i setup the enterprise root CA, IIS, create the cert, then i'll just set the default domain controller policy to auto-enroll. To test i can use the ldp tool to connect over 636, SSL to test the connection. Once that is all verified, thats safe to say that LDAP between domain controllers communicate over SSL. Now if i do not autoenroll clients (computers and users) to use SSL, will they not be able to login? initially, I just want to roll out this setup for domain controllers only and not to clients.

    If any one has any great articles on this, i'll be greatful.

    thanks,

  • #2
    Re: configure LDAP to use SSL

    you can install CA on any server in the forest that have IIS and ASP extensions installed, When you install an Enterprise Certificate Authority, all Domain Controllers automatically request a certificate and can support LDAP using SSL port 636. you can test it by open ldp.exe and bind it to the DC and choose port 636 before connect. then go to security option in the group policy and required ldap signing.. If you set the server to Require Signature, you must also set the client. Not setting the client results in loss of connection with the server.
    read this article, will help
    support.microsoft.com/kb/823659
    Last edited by Dr.Kernel; 19th June 2007, 22:12.

    Comment


    • #3
      Re: configure LDAP to use SSL

      A great practise (dunno if microsoft likes it) is to use an offline root CA.
      Just install a server in virtual pc or vmware.
      Leave it in a workgroup
      Install a CA root server
      Install one or more issuing CA's
      Take the Root CA down
      Burn the vmware image on disk and boot it up only when needed.
      Marcel
      Technical Consultant
      Netherlands
      http://www.phetios.com
      http://blog.nessus.nl

      MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
      "No matter how secure, there is always the human factor."

      "Enjoy life today, tomorrow may never come."
      "If you're going through hell, keep going. ~Winston Churchill"

      Comment


      • #4
        Re: configure LDAP to use SSL

        Thanks for the tip and article guys!

        Comment


        • #5
          Re: configure LDAP to use SSL

          here are some links:
          http://technet2.microsoft.com/Window...83f691033.mspx
          http://technet2.microsoft.com/window...89d2f1033.mspx
          http://support.microsoft.com/kb/271386
          http://www.windowsitpro.com/Windows/...457/49457.html
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: configure LDAP to use SSL

            Originally posted by Dumber View Post
            A great practise (dunno if microsoft likes it) is to use an offline root CA.
            Just install a server in virtual pc or vmware.
            Leave it in a workgroup
            Install a CA root server
            Install one or more issuing CA's
            Take the Root CA down
            Burn the vmware image on disk and boot it up only when needed.
            IIRC this is precisely Microsoft's best practice, except they say use a physical machine and store it safely (no issues with out of date VM-Ware in 5 years time!)
            Tom Jones
            MCT, MCSE (2000:Security & 2003), MCSA:Security & Messaging, MCDBA, MCDST, MCITP(EA, EMA, SA, EDA, ES, CS), MCTS, MCP, Sec+
            PhD, MSc, FIAP, MIITT
            IT Trainer / Consultant
            Ossian Ltd
            Scotland

            ** Remember to give credit where credit is due and leave reputation points where appropriate **

            Comment


            • #7
              Re: configure LDAP to use SSL

              Yeah well.. if the physical machine boots up after 5 years and that thing goes in smoke well... it won't help you either.

              Save the software and key within the DVD or other media and problem is solved. Even when you use out of date software.
              Marcel
              Technical Consultant
              Netherlands
              http://www.phetios.com
              http://blog.nessus.nl

              MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
              "No matter how secure, there is always the human factor."

              "Enjoy life today, tomorrow may never come."
              "If you're going through hell, keep going. ~Winston Churchill"

              Comment

              Working...
              X