LDAPS Connection not working

  • 369 Views
  • Last Post 21 June 2016
DhirajHaritwal posted this 21 June 2016

Hi,   I am trying to connect one of our Win2K8 r2 ADC on LDAPS through LDP.exe but it’s not getting connected & showing schannel event ID 36888 with below errors in ADC events.   The following fatal alert was generated: 80. The internal error state is 1101. The following fatal alert was generated: 80. The internal error state is 1250.   I have generated a certificate from local CA with key usages as Server Authentication (1.3.6.1.5.5.7.3.1) & Subject CN as fqdn of ADC & installed this certificate under Certificates-NTDS\Personal-Certificates Service (Active Directory Domain Services) & it has a private key as well.   Under Computer Certificate personal store, have 3 certificates. First is issued by Root CA for Client Authentication, Sever authentication. Second generated from local CA for RDP TLS connection & 3rd for LDAPS connection.   Even I am not able to connect on LDAPS locally from LDP on this ADC. In netstat its showing listening on port 636 but when I check port 636 status through TestSSLServer, showing “No SSL/TLS server at IP”.   Have SSLv3 & couple of RC4 Ciphers disabled on this ADC.   Is there anything wrong with Server Ciphers. Do I need to install same cert which have used under NTDS on the client from where trying LDP.   Kindly suggest what could be the problem & how to fix it.   Appreciate any help.     Dhiraj




This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway..

Order By: Standard | Newest | Votes
a-ko posted this 21 June 2016

Please, Please just use an Enterprise-integrated CA and use the “Kerberos Authentication” template for your DCs. It will give you everything you need.

show

DhirajHaritwal posted this 21 June 2016

Thanks Mike, have couple of queries & want to understand in more details.

 

While people are using even 3rd party certificate for LDAPS why can’t we use a self-signed certificate from local CA? as per technet article, certificate for LDAPS should have only Server Authentication

OID (1.3.6.1.5.5.7.3.1) so it should work. Also it’s mentioned on couple of threads that we have to use fqdn of domain controller as CN which I am using with self-signed certificate.

 

This certificate exist on ADC’s computer personal certificate store. What I am missing here is the certificate import. I have generated this certificate through certutil & installed with certutil –submit under

personal store. Have imported it through MMC under NTDS personal store but as you mentioned that’s not require for LDAPS connection. I have 3 certificate installed under ADC’s personal store, hope their presence/installation order is not making any trouble.

 

So tomorrow will export this certificate along with private key, delete it from personal store & import it through MMC & then will check connection through LDP.

 

 

Dhiraj



 

 



 

show

a-ko posted this 21 June 2016

I’m not sure what you’re reading, but I’ve also worked with people with non-AD (i.e. OpenLDAP) configurations that also required the certificates to be configured via SAN fields rather than Subject/CN data. When you use certreq.exe you should use the -machine option which requests it in the context of the machine account and will store the private key in the machine’s store. You can request and configure how you want as long as the required values exist. The KDC Authentication policy is useful for PKINIT and Kerberos Armoring. I’m not sure if it will use a “Server Authentication” certificate to perform that task… -Mike 

show

a-ko posted this 21 June 2016

I’m not sure what you’re reading, but I’ve also worked with people with non-AD (i.e. OpenLDAP) configurations that also required the certificates to be configured via SAN fields rather than Subject/CN data. When you use certreq.exe you should use the -machine option which requests it in the context of the machine account and will store the private key in the machine’s store. You can request and configure how you want as long as the required values exist. The KDC Authentication policy is useful for PKINIT and Kerberos Armoring. I’m not sure if it will use a “Server Authentication” certificate to perform that task… -Mike 

show

kbatlive posted this 21 June 2016

I only took a quick glance at what you are doing…but I’ll re-iterate what M.Cramer said about using an enterprise CA.

 

However, an enterprise CA may not be available.  In that case, you can use the steps outlined in these 4 articles to generate a certificate request from the DC to a trusted cert

authority.  There are examples of all the commands necessary to create the certreq, submit it to the CA server and import the certificate (including some scripts that will help).

 

It should work (with tweaks) with third-party CA’s where they are already in the trusted store of the machines involved.  Not sure how it would work for self-signed – but the

steps to import the self-signed into the store should be similar.

 

These are the 4 articles I used to do this for DC’s (2008, 2008r2) in our environment that do not have an enterprise CA available to them (but we need to do LDAPS to them) (it

says for Win2000 – it still applies).

http://technet.microsoft.com/en-us/library/cc783835(WS.10).aspx

 

http://technet.microsoft.com/en-us/library/cc775547(v=ws.10).aspx

 

http://technet.microsoft.com/en-us/library/cc787009(WS.10).aspx

 

http://technet.microsoft.com/en-us/library/cc785678(WS.10).aspx

 

 

Good luck!

 

 

 

show

Close