| Author | Messages | |
AFidel
Posts:88
 | | 08/24/2006 2:49 AM |
| I hope this will be configurable, if
not in the GUI then through a registry key which is published in the MSKB,
Andrew Fidel
"Steve Linehan"
Sent by: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
08/23/2006 10:37 PM
Please respond to
ActiveDir@xxxxxxxxxxxxxxxxxx
To
cc
Subject
RE: [ActiveDir] Secure LDAP
queries from the outside --> problem solved
Furthermore the current implementation of wldap32
in Windows Server 2003
SP1 does not request that the certificate be verified. This has been
changed in a QFE for Windows Server 2003 SP1 and will be addressed in
the next service pack for Windows Server 2003, SP2. So you may see
a
change in behavior going forward at least on the server platform.
Thanks,
-Steve
-----Original Message-----
From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
[mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Laura A.
Robinson
Sent: Wednesday, August 23, 2006 9:27 PM
To: ActiveDir@xxxxxxxxxxxxxxxxxx
Subject: RE: [ActiveDir] Secure LDAP queries from the outside -->
problem solved
Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003
do.
However, there are behavior variances on an application-by-application
basis. For more information:
http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl
.msp
x#ES3AE
Laura
> -----Original Message-----
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Joe Kaplan
> Sent: Wednesday, August 23, 2006 10:06 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: Re: [ActiveDir] Secure LDAP queries from the outside
> --> problem solved
>
> It actually depends on the policy defined for the SSL stack.
> In Windows, this is typically configured globally for all SSL,
> although I'm not sure where. It definiitely used to be the case
that
> Windows that CRLs were never checked, but I have seen some other SSL
> stuff with HTTP actually checking the CRL on 2K3 servers.
>
> It is also possible in SSPI with Schannel to ignore specific
> conditions, so this could be something that is ignored in the default
> LDAP SSL routine in Windows, but I doubt it. The callback function
> for server certificate verification will give you the error code if
> there is a problem and the client can then deal with it as it sees
> fit.
>
> CRLs can definitely be trouble though. They are by far the most
> vexing thing to troubleshoot in SSL, and PKI in general.
>
> Joe
>
> ----- Original Message -----
> From: "Thommes, Michael M."
> To:
> Sent: Wednesday, August 23, 2006 8:37 PM
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> --> problem solved
>
>
> Hi joe,
> The CRL location is *not* available from the outside.
> And since neither adfind, ldp or Outlook Express seemed to care, I
am
> guessing that not many
> (any?) tools require it. Kinda makes ya wonder why you would
have it
> if it's not used. Sorta like not using the book of bad credit
card
> numbers when someone handed you a credit card! (maybe some of
you are
> old enough to remember this safeguard before there were computers
> everywhere! LOL!).
>
> Mike Thommes
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx on behalf of joe
> Sent: Wed 8/23/2006 7:15 PM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> --> problem solved
>
>
> Cool, is the CRL available from the outside at all? I am really
> curious if that is truly needed from the client when using LDAPS,
it
> doesn't seem to be needed but my testing has been far from perfect
in
> that regard.
>
> joe
>
> --
> O'Reilly Active Directory Third Edition -
> http://www.joeware.net/win/ad3e.htm
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Thommes,
> Michael M.
> Sent: Wednesday, August 23, 2006 8:06 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> --> problem
> solved
>
>
>
> Thanks to all who responded! The problem was solved by installing
our
> local root CA cert on the "outside" computer since we are
"rolling our
> own" and not using one of the well known CAs (Trusted Root
> Certification Authorities).
>
>
>
> Mike Thommes
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Thommes,
> Michael M.
> Sent: Tuesday, August 22, 2006 9:36 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
>
>
>
> Hi Robert,
>
> Yes, the command is *exactly* the same. We are
thinking that our
> CRL location is not available outside of the firewall. We generate
> our own certificates; we don't use a "well known" provider.
>
>
>
> Mike Thommes
>
>
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of Williams,
> Robert
> Sent: Tuesday, August 22, 2006 9:16 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
>
>
>
> Hey Mike,
>
>
>
> When you say "It works fine behind our firewall", are you
meaning that
> the *exact same* command line works and you get the object returned?
>
>
>
> I tried using adfind to connect to my test DC using port 636
> and got the
> exact same error...but I don't have a cert installed on my DC
> so I'd expect
> mine not to work.
>
> Robert Williams
>
> ________________________________
>
> From: ActiveDir-owner@xxxxxxxxxxxxxxxxxx
> [mailto:ActiveDir-owner@xxxxxxxxxxxxxxxxxx] On Behalf Of
> Thommes, Michael M.
> Sent: Tuesday, August 22, 2006 6:19 AM
> To: ActiveDir@xxxxxxxxxxxxxxxxxx
> Subject: [ActiveDir] Secure LDAP queries from the outside
>
>
>
> Hi,
>
> We are trying to set up secure LDAP queries from the
> outside to AD for
> pulling email addresses but are running into an issue. Port
> 636 has been
> opened up to our DCs but we get a 0x51 error like the one
> shown below in
> this example of using "adfind":
>
>
>
> adfind -h dc1.abc.com:636 -u mthommes@xxxxxxx -up * -default
> -nodn -f
> sn=thommes extensionAttribute2
>
>
>
> AdFind V01.26.00cpp Joe Richards (joe@xxxxxxxxxxx) February 2005
>
>
>
> LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down
>
> Terminating program.
>
>
>
> (extensionAttribute2 is used for email address)
>
>
>
> Portqry shows that the DC is listening on port 636. Using
> "ldp", the bind
> operation seems to want to default to port 389 (which is not open).
>
>
>
> It works fine behind our firewall. Is there some other port
> that needs to
> be open (besides 389)? Or maybe some security feature (we
> are running
> w2k3/sp1 on our DCs) that is getting in the way? Any help is
> appreciated!
>
>
>
> TIA,
>
> Mike Thommes
>
>
>
>
>
> 2006-08-22, 10:35:32
> The information contained in this e-mail message and any
> attachments may be
> privileged and confidential. If the reader of this message is not
the
> intended recipient or an agent responsible for delivering it
> to the intended
> recipient, you are hereby notified that any review, dissemination,
> distribution or copying of this communication is strictly
> prohibited. If you
> have received this communication in error, please notify the sender
> immediately by replying to this e-mail and delete the message and
any
> attachments from your computer.
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
>
> List info : http://www.activedir.org/List.aspx
> List FAQ : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx | | | |
|
|