How to do secure LDAP to an alias
Mike Leone
Error <0x51>: Fail to connect to ldap.wrk.ads.pha.phila.gov.
Mike. Leone, <mailto:tur...@mike-leone.com>
PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>
This space reserved for future witticisms ...
Robert ECEO Townley
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiBagLzOCiXXAw_x%3DdW-%3DuMNJS5Q3i9M30WWaDNeNBNYg%40mail.gmail.com.
Do not blame older Windows versions when Win10 networking can be blamed.Do not blame IPv4 when you can blame IPv6.
Michael B. Smith
You’ve got to have the server FQDN as a SAN for the LDAP certificate.
I generally do something like:
Ldap.domain.com as the subject
And then the same as a SAN and each DC name:
You also need to make sure you have the EKU for server auth.
Not sure what you mean “computer account Personal cert store”. It should be in either LocalMachine\My or the service account store for AD DS:
--
Mike Leone
You’ve got to have the server FQDN as a SAN for the LDAP certificate.
I generally do something like:
Ldap.domain.com as the subject
And then the same as a SAN and each DC name:
You also need to make sure you have the EKU for server auth.
Not sure what you mean “computer account Personal cert store”. It should be in either LocalMachine\My or the service account store for AD DS:
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/622a4246085b408a952090d056be6808%40smithcons.com.
Michael B. Smith
How often do you add/remove DCs? 😊
In re: the EKU – what are you using as the template?
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bi%2BSxMSvPJwzkDw97CXyVvFuWjFzM9L2e4hBUnEBc%3DjRg%40mail.gmail.com.
Kurt Buff
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bi%2BSxMSvPJwzkDw97CXyVvFuWjFzM9L2e4hBUnEBc%3DjRg%40mail.gmail.com.
Mike Leone
How often do you add/remove DCs? 😊
In re: the EKU – what are you using as the template?
; SAMPLE Certificate Request template, for a DC to be able to do LDAPS
; LDAP over SSL, which is mandatory after 2020-03.
;
; You will need to customize this file, and then save it with the name of the DC
; you are creating the request for (i.e., save ass "DCTRWRK007-LDAPS-request.CSR".
; CSR=Certificate Signing Request
;
[Version]
Signature="$Windows NT$"
; if this file is named "certreq-ldaps.inf" then "certreq.exe -new certreq-ldaps.inf certreq-ldaps.csr"
[NewRequest]
; Change to `Subject=<FQDN>` of the DC in question
Subject = "CN=ldaps.smithcons.com,O=Michael B. Smith,L=Charlottesville,ST=Virginia,C=US"
; Change to display name of DC
FriendlyName = "ldaps.smithcons.com 2019-11-04"
Requesttype = Cert ; make a self-signed certificate
Exportable = True ; private-key is exportable
KeyLength = 2048 ; 512, 1024, 2048, 4096, 8192, or 16384
KeySpec = 1 ; AT_KEYEXCHANGE
MachineKeySet = True ; goes in machine store instead of user's personal store
KeyAlgorithm = RSA ; RSA key
SMIME = False ; cannot be used for signing S/MIME messages
HashAlgorithm = sha256 ; "certutil -oid 1 | findstr pwszName" -- gives a list (including sha1)
UserProtected = False
UseExistingKeySet = False ; we are not renewing a key that already exists
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12 ; for ProviderName and ProviderType, see "certutil -csplist"
RequestType = PKCS10 ; if empty or set to "CERT" then a self-signed cert is created
KeyUsage = 0xa0 ; 0xa0 - CERT_DIGITAL_SIGNATURE_KEY_USAGE + CERT_KEY_ENCIPHERMENT_KEY_USAGE
[RequestAttributes]
CertificateTemplate="WebServer"
[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; PKIX_KP_SERVER_AUTH
OID = 1.3.6.1.5.5.7.3.2 ; PKIX_KP_CLIENT_AUTH
[Extensions]
; This is for a SAN (SubjectAltName), reguired by CHROME and FIREFOX as of 2019
;
; If your client operating system is Windows Server 2008, Windows Server 2008 R2,
; Windows Vista, or Windows 7 (or later), SANs can be included in the Extensions
; section by using the following text format.
; Note 2.5.29.17 is the OID for a SAN extension.
2.5.29.17 = "{text}"
; CHANGE to `DNS=<FQDN> of the DC.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/0414586d5de7484da47039334f7a91a1%40smithcons.com.
Mike Leone
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/622a4246085b408a952090d056be6808%40smithcons.com.
Michael B. Smith
There ya go “EnhancedKeyUsage” – EKU 😊
Did that come out of one of Webster’s script archives? 😊
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bj_eLuP-n1Dj4S7y7ViDuLcLALtgeFRmaTCb25dv5%3D%2Bhg%40mail.gmail.com.
Mayo, Bill
I have been watching this thread with interest. We have a group policy that automatically generates certificates for computer objects, which obviously wouldn’t have any SAN entries. Our vulnerability scans sometimes show expired certificates being given for LDAPS responses. I would confirm there is a current certificate, but I have been unable to find a way to force LDAPS to use a particular certificate. If I were to create a different certificate that had SAN entries, such that there were now multiple certificates that were valid for the purpose of LDAPS, what is the method by which LDAPS would decide which certificate to present? And is there a way to force it to use a particular certificate? I have reviewed https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority on multiple occasions, but it doesn’t seem to address this issue.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Thursday, March 3, 2022 3:21 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] How to do secure LDAP to an alias
Yep, that worked a treat! Great! Now I just have to go and change all the existing applications that have LDAP settings pointing to a soon-to-be-nonexistent DC and point them at my new abstract name ..
Oh, the joy! LOL
On Thu, Mar 3, 2022 at 1:31 PM Michael B. Smith <mic...@smithcons.com> wrote:
You’ve got to have the server FQDN as a SAN for the LDAP certificate.
I generally do something like:
Ldap.domain.com as the subject
And then the same as a SAN and each DC name:
You also need to make sure you have the EKU for server auth.
Not sure what you mean “computer account Personal cert store”. It should be in either LocalMachine\My or the service account store for AD DS:
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bhiv3tUmtYje1taPqQm%2BYsLdkpnjY7k8mBhKJnboGBxkg%40mail.gmail.com.
David Svirskis
“you can also put certificates in the NTDS Service's Personal certificate store in Windows Server 2008 and in later versions of Active Directory Domain Services (AD DS)”
“AD DS preferentially looks for certificates in this store over the Local Machine's store. This makes it easier to configure AD DS to use the certificate that you want it to use”
“if a Windows Server 2008 or a later version domain controller finds multiple certificates in its store, it automatically selects the certificate whose expiration date is furthest in the future. Then, if your current certificate is approaching its expiration date, you can drop the replacement certificate in the store, and AD DS automatically switches to use it.”
There doesn’t appear to be a way to force the use of a particular certificate if there multiple certificates in the NTDS service’s personal certificate store.
Cheers,
David
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mayo, Bill
Sent: Friday, 4 March 2022 7:33 AM
To: ntsys...@googlegroups.com
Subject: RE: [ntsysadmin] How to do secure LDAP to an alias
I have been watching this thread with interest. We have a group policy that automatically generates certificates for computer objects, which obviously wouldn’t have any SAN entries. Our vulnerability scans sometimes show expired certificates being given for LDAPS responses. I would confirm there is a current certificate, but I have been unable to find a way to force LDAPS to use a particular certificate. If I were to create a different certificate that had SAN entries, such that there were now multiple certificates that were valid for the purpose of LDAPS, what is the method by which LDAPS would decide which certificate to present? And is there a way to force it to use a particular certificate? I have reviewed https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority on multiple occasions, but it doesn’t seem to address this issue.
From:
ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Thursday, March 3, 2022 3:21 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] How to do secure LDAP to an alias
Yep, that worked a treat! Great! Now I just have to go and change all the existing applications that have LDAP settings pointing to a soon-to-be-nonexistent DC and point them at my new abstract name ..
Oh, the joy! LOL
On Thu, Mar 3, 2022 at 1:31 PM Michael B. Smith <mic...@smithcons.com> wrote:
You’ve got to have the server FQDN as a SAN for the LDAP certificate.
I generally do something like:
Ldap.domain.com as the subject
And then the same as a SAN and each DC name:
You also need to make sure you have the EKU for server auth.
Not sure what you mean “computer account Personal cert store”. It should be in either LocalMachine\My or the service account store for AD DS:
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/5642cf98460447e6bcb77cef02a0e3dd%40pittcountync.gov.
Mike Leone
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/5642cf98460447e6bcb77cef02a0e3dd%40pittcountync.gov.
Mayo, Bill
Well, dang, I guess I stopped reading before I got to that part. Thanks much.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/7d3f0997938c4860954fb6be32480ed9%40ausmarinetech.com.au.
Mike Leone
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Kurt Buff
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg%3Dzw%2B638t-GjQj9ioFhGmhi-FGFQ%3DauhgV_bEoAjZkpQ%40mail.gmail.com.
Mike Leone
Are the RRs A records or CNAMEs? I think you want A records, but I could be off base on this.
> ldap.wrk.ads.pha.phila.gov
Server: dctrwrk005.wrk.ads.pha.phila.gov
Address: 10.64.7.59
Name: ldap.wrk.ads.pha.phila.gov
Addresses: 10.64.7.61
10.64.7.59
10.64.7.48
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7bHM%2Bb%2BVESBb6VhVMeDZ2_yy%3DCYjWqjr-RJ4kGZLAmeg%40mail.gmail.com.
James Iversen
| James
Iversen Network Systems Analyst IT Infrastructure 1899 Central Plaza East Edmeston, NY 13335 | |
nycm.com | |
From: "Kurt Buff" <kurt...@gmail.com>
To: ntsys...@googlegroups.com
Date: 03/04/2022 01:00 PM
Subject: Re: [ntsysadmin] How to do secure LDAP to an alias
Sent by: ntsys...@googlegroups.com
ATTENTION: This email was sent from someone outside of NYCM.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CADy1Ce7bHM%2Bb%2BVESBb6VhVMeDZ2_yy%3DCYjWqjr-RJ4kGZLAmeg%40mail.gmail.com.
Join us on Facebook at www.facebook.com/NYCMInsurance.
***CONFIDENTIALITY NOTICE***
This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.
Mike Leone
Is this a "windows domain joined" client connecting, or a non-doamin joined device attempting to connect using valid domain user creds?
James Iversen
If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate.
At the least, restart the KDC service on the DC.
From: "Mike Leone" <tur...@mike-leone.com>
To: ntsys...@googlegroups.com
Date: 03/04/2022 01:22 PM
Subject: Re: [ntsysadmin] How to do secure LDAP to an alias
Sent by: ntsys...@googlegroups.com
ATTENTION: This email was sent from someone outside of NYCM.
Is this a "windows domain joined" client connecting, or a non-doamin joined device attempting to connect using valid domain user creds?
It's my PAW, so a domain member ...
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh%2Bx_raMMtX1%3DA%3DbXOW2nC%3DB%2BwtGifV1FuJdbdW2evCug%40mail.gmail.com.
Mike Leone
Restarting
If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed,
The server must be restarted for Schannel to use the new certificate.
At the least, restart the KDC service on the DC.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OF02173D39.8894CE37-ON852587FB.0066F171-852587FB.006704D7%40nycm.com.
Robert ECEO Townley
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh2ONZuaCJEKFfA_6HT3oWGukWMneu_N%3DPZ-peHC3w93Q%40mail.gmail.com.
Michael B. Smith
What does your bind dialog look like?
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Friday, March 4, 2022 12:57 PM
To: ntsys...@googlegroups.com
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg%3Dzw%2B638t-GjQj9ioFhGmhi-FGFQ%3DauhgV_bEoAjZkpQ%40mail.gmail.com.
Mike Leone
What does your bind dialog look like?
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to ldap.wrk.ads.pha.phila.gov.
-----------
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='pgpldap'; Pwd=<unavailable>; domain = ''}
Authenticated as: 'PHA.PHILA.GOV\pgpldap'.
-----------
Server: dctrwrk005.wrk.ads.pha.phila.gov
Address: 10.64.7.59
Name: ldap.wrk.ads.pha.phila.gov
10.64.7.48
10.64.7.55
10.64.7.62
10.64.7.43
10.64.7.61
Mike Leone
Does it also fail on ldaps connections to the dns domain name as opposed to directly to a particular dc?In our environment, we can successfully do all of the following:ls \\dc2\netlogonls \\dc2.ad.domain.tld\netlogonls \\ad.domain.tld\netlogon
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CACE8FwnZYdkL%2BcbW9JP28gCAjJkWkaoCxJbFkSMLaibQNHQ1Ug%40mail.gmail.com.
Coleman, Hunter
> But one of my devs says it's still not working from his Oracle application
Does he have the CA cert chain loaded into his java keystore?
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Monday, March 7, 2022 7:03 AM
To: ntsys...@googlegroups.com
Subject: [EXTERNAL] Re: [ntsysadmin] How to do secure LDAP to an alias
On Sun, Mar 6, 2022 at 5:57 PM Michael B. Smith <mic...@smithcons.com> wrote:
What does your bind dialog look like?
I re-issued my cert, after promoting my last 2 DCs (meaning: now there's an actual DC to match each SAN), and it works for me, via LDP.EXE:
I connect to "ldap.wrk.ads.pha.,phila.gov [phila.gov]", port 636. It now connects. I bind using an account we use for lookups, and it binds, too.
ld = ldap_sslinit("ldap.wrk.ads.pha.phila.gov [ldap.wrk.ads.pha.phila.gov]", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to ldap.wrk.ads.pha.phila.gov [ldap.wrk.ads.pha.phila.gov].
-----------
53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='pgpldap'; Pwd=<unavailable>; domain = ''}
Authenticated as: 'PHA.PHILA.GOV [pha.phila.gov]\pgpldap'.
-----------
To me, I'd say that works. But one of my devs says it's still not working from his Oracle application, with the same credentials, and I don't know why ...
His app is an Oracle WebLogic server, and I know nothing about it. Except for the screenshot, that says "Could not connect to LDAP server".
The alias he's connecting with:
>
ldap.wrk.ads.pha.phila.gov [ldap.wrk.ads.pha.phila.gov]
Server: dctrwrk005.wrk.ads.pha.phila.gov [dctrwrk005.wrk.ads.pha.phila.gov]
Address: 10.64.7.59 [10.64.7.59]
Name: ldap.wrk.ads.pha.phila.gov [ldap.wrk.ads.pha.phila.gov]
Addresses: 10.64.7.59 [10.64.7.59]
10.64.7.48 [10.64.7.48]
10.64.7.55 [10.64.7.55]
10.64.7.62 [10.64.7.62]
10.64.7.43 [10.64.7.43]
10.64.7.61 [10.64.7.61]
As for SANs in the cert, the FQDN of each server listed above is in the SAN, but not the FQDN (i.e., the SAN has the FQDN of the server at 10.64.7.59 [10.64.7.59], but not a SAN for the actual IP address of 10.64.7.59 [10.64.7.59]). I don't know if that has anything to do with it.
Also, there is no reverse DNS for that alias. i.e., a reverse lookup of 10.64.7.59 [10.64.7.59] will not return "ldap.wrk.ads.pha.phila.gov [ldap.wrk.ads.pha.phila.gov]", but instead returns the actual hostname of 10.64.7.59 [10.64.7.59]. Again, I don't know if that matters or not.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bic3RLMAQHLjSKXGEJ26Dbf3vdX2dmcwnubj7YMT3OsCA%40mail.gmail.com [groups.google.com].
Mike Leone
> But one of my devs says it's still not working from his Oracle application
Does he have the CA cert chain loaded into his java keystore?
Michael B. Smith
You don’t want a SAN for the IP address (and while you can do it, it ain’t strictly “legal”).
Reverse DNS also isn’t required (at least, not by standard, I don’t know anything about Oracle).
He’ll need the root loaded into the server though, so it can verify the chain.
From: ntsys...@googlegroups.com <ntsys...@googlegroups.com>
On Behalf Of Mike Leone
Sent: Monday, March 7, 2022 9:03 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] How to do secure LDAP to an alias
On Sun, Mar 6, 2022 at 5:57 PM Michael B. Smith <mic...@smithcons.com> wrote:
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bic3RLMAQHLjSKXGEJ26Dbf3vdX2dmcwnubj7YMT3OsCA%40mail.gmail.com.
Robert ECEO Townley
You don’t want a SAN for the IP address (and while you can do it, it ain’t strictly “legal”).
Reverse DNS also isn’t required (at least, not by standard, I don’t know anything about Oracle).
He’ll need the root loaded into the server though, so it can verify the chain.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/4e05866626b846b8b0e6e70de98cc081%40smithcons.com.
Michael B. Smith
I ain’t gonna go chase down the RFC, but basically it goes like this:
[1] SANs _usually_ contain dNSNames. And most browsers specifically validate against those dNSNames.
[2] An IP address has the format of a dNSName, but you can’t look it up in DNS (especially recursively), so conformant browsers will ignore them.
[3] There is another type of record allowed in a SAN called an iPAddress which allows both IPv4 and IPv6 addresses, but not dNSNames.
So FQDNs should be in dNSNames and IP addresses should be in iPAddresses. I have never (and I quote myself because the OP used one of my scripts to create his certificates) published a script using iPAddresses, nor do I remember seeing one published. I expect any modern browser to ignore IP addresses put into dNSNames entries.
If reverse IP were to be checked, that would break proxy, reverse proxy, SNI, and IDS solutions. I do not believe that any such “solution” is widespread.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CACE8FwnG0vaRBssQDdUuy1C%2B4YU-8aswVjJEiDvAg%3DvwiVRt0w%40mail.gmail.com.
Mike Leone
I ain’t gonna go chase down the RFC, but basically it goes like this:
[1] SANs _usually_ contain dNSNames. And most browsers specifically validate against those dNSNames.
[2] An IP address has the format of a dNSName, but you can’t look it up in DNS (especially recursively), so conformant browsers will ignore them.
[3] There is another type of record allowed in a SAN called an iPAddress which allows both IPv4 and IPv6 addresses, but not dNSNames.