Need some advice on setting up LDAPS

[Mike Leone]

I thought I knew how to do this, but apparently not ..

I have a mix of DCs, Win 2012 R2 and Win 2019 (in the process of upgrading the domain to support the latest FFL/DFL). Each DC has a cert. 

Sounds simple, eh?

Turns out, not so much ... using LDP.EXE, I can make a valid SSL connection on port 636 to all of the Win 2012 R2 DCs, and 1 of the Win 2019 DCs. However, when I try to make a connection to the other Win 2019 DCs, I get a failure to connect.

0x0 = ldap_unbind(ld);
ld = ldap_sslinit("dc1wrk011.wrk.ads.pha.phila.gov", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to dc1wrk011.wrk.ads.pha.phila.gov.

But yet it works on just 1 of the Win 2019s ..

ld = ldap_sslinit("dc2wrk010.wrk.ads.pha.phila.gov", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to dc2wrk010.wrk.ads.pha.phila.gov.

And I don't know why. All of the Win 2019s have a valid cert. I don't see anything different between the certs on the failing DCs and the cert on the working DC, they're all from the same CA (me ..), and all have the same intended Purposes (Server and Client Authentication). In order to enable LDAPS, all I need to do is issue a cert for the DC, there is no other configuration necessary, right? Once I import the cert onto the DC, it should start using it for LDAPS.

What am I missing here?

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

[Michael B. Smith]

You have to have an EKU extension for Server Auth and you have to have the server name as a SAN, not just as the common name (Subject).

 

I always create my DC certificates manually, but you can do it however you wish. This is a working example of a CSR:

 

;----------------- ldaps-request.inf -----------------

; dc001.fabrikam.com

;

; certreq -new ldaps-request.inf ldaps-request.req

​; certreq -submit -config ca002\Issuing-PROD ldaps-request.req ldaps-request.cer

; certreq -accept -config ca002\Issuing-PROD ldaps-request.cer

;

 

[Version]

Signature="$Windows NT$

 

[NewRequest]

Subject = "CN=dc001.fabrikam.com" ; replace with the FQDN of the DC

FriendlyName = "LDAPS for dc001.fabrikam.com"

KeyLength = 2048

; Can be 1024, 2048, 4096, 8192, or 16384.

; Larger key sizes are more secure, but have

; a greater impact on performance.

KeySpec = 1                     ; AT_KEYEXCHANGE

Exportable = TRUE               ; private-key is exportable

MachineKeySet = TRUE            ; goes in machine store instead of user's personal store

SMIME = False                   ; cannot be used for signing S/MIME messages

PrivateKeyArchive = FALSE

HashAlgorithm = sha256               ; "certutil -oid 1 | findstr pwszName" -- gives a list (including sha1)

UserProtected = FALSE

UseExistingKeySet = FALSE       ; we are not renewing a key that already exists

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12               ; for ProviderName and ProviderType, see "certutil -csplist"

RequestType = PKCS10            ; if empty or set to "CERT" then a self-signed cert is created

KeyUsage = 0xa0                 ; 0xa0 - CERT_DIGITAL_SIGNATURE_KEY_USAGE + CERT_KEY_ENCIPHERMENT_KEY_USAGE

 

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication - PKIX_KP_SERVER_AUTH

 

[Extensions]

; If your client operating system is Windows Server 2008, Windows Server 2008 R2,

; Windows Vista, or Windows 7 (or later), SANs can be included in the Extensions

; section by using the following text format.

; Note 2.5.29.17 is the OID for a SAN extension.

 

2.5.29.17 = "{text}"

_continue_ = "dns=dc001.fabrikam.com&"

_continue_ = "dns=dc001.contoso.com"

 

[RequestAttributes]

CertificateTemplate = WebServer

 

;-----------------------------------------------

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgVJ9qPZTjZPn94wsarJoYB3mRPkEx6rkWhGRQc83UgFw%40mail.gmail.com.

[James Iversen]

If I'm not mistaken, you need to have these as the enhanced key usage for Domain Controller Certs:


I could be wrong...

From:        "Mike Leone" <tur...@mike-leone.com>
To:        "NTSysAdmin" <ntsys...@googlegroups.com>
Date:        07/28/2022 01:13 PM
Subject:        [ntsysadmin] Need some advice on setting up LDAPS

Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgVJ9qPZTjZPn94wsarJoYB3mRPkEx6rkWhGRQc83UgFw%40mail.gmail.com.

Join us on Facebook at www.facebook.com/NYCMInsurance.


***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

[Michael B. Smith]

A DC can possibly have multiple certs, with the same name, doing different things. The Kerberos Authentication template has those EKUs.

 

LDAPS doesn’t need anything but the second one (and the SAN).

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of James Iversen
Sent: Thursday, July 28, 2022 1:26 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

If I'm not mistaken, you need to have these as the enhanced key usage for Domain Controller Certs:


I could be wrong..

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFD6A71F72.5302686B-ON8525888D.005F7C4F-8525888D.005FBCFE%40nycm.com.

[Michael B. Smith]

…and that KerberosAuth cert will work just fine for LDAPS. It has the SAN. I just tested.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/24f526e7d3344dc389b0d2ed5408d196%40smithcons.com.

[Mike Leone]

On Thu, Jul 28, 2022 at 1:22 PM Michael B. Smith <mic...@smithcons.com> wrote:

You have to have an EKU extension for Server Auth and you have to have the server name as a SAN, not just as the common name (Subject).

 

I always create my DC certificates manually, but you can do it however you wish. This is a working example of a CSR:

That's the one I used. LOL

 

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication - PKIX_KP_SERVER_AUTH

I have this

[EnhancedKeyUsageExtension]
OID = 1.3.6.1.5.5.7.3.1 ; PKIX_KP_SERVER_AUTH
OID = 1.3.6.1.5.5.7.3.2 ; PKIX_KP_CLIENT_AUTH

But otherwise the same.

[Mike Leone]

On Thu, Jul 28, 2022 at 1:25 PM James Iversen <JIve...@nycm.com> wrote:

If I'm not mistaken, you need to have these as the enhanced key usage for Domain Controller Certs:


I could be wrong...

I have this:

Even on just the working DCs ...

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OFD6A71F72.5302686B-ON8525888D.005F7C4F-8525888D.005FBCFE%40nycm.com.

[Mike Leone]

On Thu, Jul 28, 2022 at 3:03 PM Michael B. Smith <mic...@smithcons.com> wrote:

A DC can possibly have multiple certs, with the same name, doing different things. The Kerberos Authentication template has those EKUs.

 

LDAPS doesn’t need anything but the second one (and the SAN).

I have this, on the working one:

 

And this, on the non-working one. They look the same to me ...

 

[Charles F Sullivan]

What about Key Usage (as opposed to enhanced key usage)? Do those match? I missed the beginning so I don't know whether or not it's from a template.

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiWTkSkux42WXLUu6H5d2imP41-fRgVb1rJmZTWLdptxA%40mail.gmail.com.

--

Charlie Sullivan

Principal Windows Systems Administrator

[Mike Leone]

Yes, I used Michael's certificate template to request all the certs.

Working cert:

Non-orking cert:

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzmdhOMKpjkbd8up_t2q_yBtTy_Ky%3D_-d%3DrabmdxK6xe0g%40mail.gmail.com.

[Michael B. Smith]

Back to basics.

 

From an elevated PowerShell session, on the same computer where you run ldp.exe can you:

 

               tnc dc1wrk011.wrk.ads.pha.phila.gov -port 636

 

What’s the result?

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Thursday, July 28, 2022 4:01 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

Yes, I used Michael's certificate template to request all the certs.

 

Working cert:

 

 

Non-orking cert:

 

 

 

 

On Thu, Jul 28, 2022 at 3:58 PM 'Charles F Sullivan' via ntsysadmin <ntsys...@googlegroups.com> wrote:

What about Key Usage (as opposed to enhanced key usage)? Do those match? I missed the beginning so I don't know whether or not it's from a template.

 

On Thu, Jul 28, 2022 at 3:23 PM Mike Leone <tur...@mike-leone.com> wrote:

On Thu, Jul 28, 2022 at 3:03 PM Michael B. Smith <mic...@smithcons.com> wrote:

A DC can possibly have multiple certs, with the same name, doing different things. The Kerberos Authentication template has those EKUs.

 

LDAPS doesn’t need anything but the second one (and the SAN).

 

 

I have this, on the working one:

 

 

 

 

And this, on the non-working one. They look the same to me ...

 

 

 

 

 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiWTkSkux42WXLUu6H5d2imP41-fRgVb1rJmZTWLdptxA%40mail.gmail.com.

 

--

Charlie Sullivan

Principal Windows Systems Administrator

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAEuHzzmdhOMKpjkbd8up_t2q_yBtTy_Ky%3D_-d%3DrabmdxK6xe0g%40mail.gmail.com.

 

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bhq2r28bx-P_gn%3DQL2ewjf%3DSq7pGAZCGmsaoLD0A3bX8g%40mail.gmail.com.

[Kurt Buff]

See also this, which has proven useful to me a few times:

https://blog.didierstevens.com/2019/05/19/quickpost-retrieving-an-ssl-certificate-with-nmap/

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/c9d348a9bd314916a2b8f69e6bc3fd13%40smithcons.com.

[Mike Leone]

On Thu, Jul 28, 2022 at 4:10 PM Michael B. Smith <mic...@smithcons.com> wrote:

Back to basics.

 

From an elevated PowerShell session, on the same computer where you run ldp.exe can you:

 

               tnc dc1wrk011.wrk.ads.pha.phila.gov -port 636

 

What’s the result?

PS O:\software\PHA Scripts> tnc dc1wrk011.wrk.ads.pha.phila.gov -port 636  

                                                                                          
ComputerName     : dc1wrk011.wrk.ads.pha.phila.gov
RemoteAddress    : 10.64.7.55
RemotePort       : 636
InterfaceAlias   : Ethernet0 2
SourceAddress    : 10.64.7.39
TcpTestSucceeded : True

[Michael B. Smith]

Kurt’s nmap solution is a good one.

 

Something more simple:

 

               $error.Clear()

               $s = “LDAP://dc1wrk011.wrk.ads.pha.phila.gov:636”

               $ldap = [ADSI] $s

 

If it generates an error,

 

               $error

 

If not,

 

               $ldap | fl *

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, July 29, 2022 9:07 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

 

 

On Thu, Jul 28, 2022 at 4:10 PM Michael B. Smith <mic...@smithcons.com> wrote:

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhAfPAOxg%2BidYnofEzTm%3Dh9rhrzLMNTFtBfXCXFj3BCow%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 9:44 AM Michael B. Smith <mic...@smithcons.com> wrote:

Kurt’s nmap solution is a good one.

 

Something more simple:

 

               $error.Clear()

               $s = “LDAP://dc1wrk011.wrk.ads.pha.phila.gov:636”

               $ldap = [ADSI] $s

 

If it generates an error,

 

               $error

 

If not,

 

               $ldap | fl *

No error, just no response ...

PS C:\PHA Scripts> .\Check-LDAPS.PS1



AuthenticationType :
Children           :
Guid               :
ObjectSecurity     :
Name               :
NativeGuid         :
NativeObject       :
Parent             :
Password           :
Path               :
Properties         :
SchemaClassName    :
SchemaEntry        :
UsePropertyCache   :
Username           :
Options            :
Site               :

Container          :

Using port 389 returns expected

[Michael B. Smith]

If you run those few commands on the server itself, do you get a response?

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, July 29, 2022 9:58 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

On Fri, Jul 29, 2022 at 9:44 AM Michael B. Smith <mic...@smithcons.com> wrote:

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhxmpnJy1NaXOULi_TvxmcxopH4g7E7UmYjtyNFNAk1qg%40mail.gmail.com.

[Mike Leone]

On Thu, Jul 28, 2022 at 5:02 PM Kurt Buff <kurt...@gmail.com> wrote:

See also this, which has proven useful to me a few times:

https://blog.didierstevens.com/2019/05/19/quickpost-retrieving-an-ssl-certificate-with-nmap/

Doesn't seem to see the cert ..

Z:\>nmap -v -p 636 --script ssl-cert 10.64.7.55
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-29 10:12 Eastern Daylight Time
NSE: Loaded 1 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:12
Completed NSE at 10:12, 0.00s elapsed
Initiating ARP Ping Scan at 10:12
Scanning 10.64.7.55 [1 port]
Completed ARP Ping Scan at 10:12, 0.10s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:12
Completed Parallel DNS resolution of 1 host. at 10:12, 0.00s elapsed
Initiating SYN Stealth Scan at 10:12
Scanning DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55) [1 port]
Discovered open port 636/tcp on 10.64.7.55
Completed SYN Stealth Scan at 10:12, 0.01s elapsed (1 total ports)
NSE: Script scanning 10.64.7.55.
Initiating NSE at 10:12
Completed NSE at 10:12, 0.02s elapsed
Nmap scan report for DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55)
Host is up (0.0010s latency).

PORT    STATE SERVICE
636/tcp open  ldapssl
MAC Address: 00:50:56:A2:02:69 (VMware)

NSE: Script Post-scanning.
Initiating NSE at 10:12
Completed NSE at 10:12, 0.00s elapsed
Read data files from: C:\Program Files (x86)\Nmap
Nmap done: 1 IP address (1 host up) scanned in 1.22 seconds
           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

Yet the cert is there ..

[Mike Leone]

On Fri, Jul 29, 2022 at 10:15 AM Michael B. Smith <mic...@smithcons.com> wrote:

If you run those few commands on the server itself, do you get a response?

Nope.

PS C:\PHA Scripts> .\Check-LDAPS.PS1

LDAP URL = LDAP://dc1wrk011.wrk.ads.pha.phila.gov:636

[Kurt Buff]

The output from

nmap -v -p 636 -sV --script ssl-cert <ip.add.re.ss>

Looks like this screencap.

Write it to disk or scrape it from your screen, edit it down to just the certificate (remove the pipes, spaces and underscores from the certificate section, keeping the cert header and footer)

Save it as a .crt file, then open it. You'll have all the info you need.

Kurt

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BhxmpnJy1NaXOULi_TvxmcxopH4g7E7UmYjtyNFNAk1qg%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 10:22 AM Kurt Buff <kurt...@gmail.com> wrote:

The output from

nmap -v -p 636 -sV --script ssl-cert <ip.add.re.ss>

Looks like this screencap.

Unfortunately, no. :-) Mine shows no cert.

 

Z:\>nmap -v -p 636 -sV --script ssl-cert 10.64.7.55
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-29 10:23 Eastern Daylight Time
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Initiating ARP Ping Scan at 10:23
Scanning 10.64.7.55 [1 port]
Completed ARP Ping Scan at 10:23, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:23
Completed Parallel DNS resolution of 1 host. at 10:23, 0.00s elapsed
Initiating SYN Stealth Scan at 10:23

Scanning DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55) [1 port]
Discovered open port 636/tcp on 10.64.7.55

Completed SYN Stealth Scan at 10:23, 0.01s elapsed (1 total ports)
Initiating Service scan at 10:23
Scanning 1 service on DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55)
Completed Service scan at 10:23, 0.01s elapsed (1 service on 1 host)
NSE: Script scanning 10.64.7.55.
Initiating NSE at 10:23
Completed NSE at 10:23, 0.01s elapsed
Initiating NSE at 10:23
Completed NSE at 10:23, 0.01s elapsed

Nmap scan report for DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55)
Host is up (0.0010s latency).

PORT    STATE SERVICE    VERSION
636/tcp open  tcpwrapped

MAC Address: 00:50:56:A2:02:69 (VMware)

NSE: Script Post-scanning.

Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed
Initiating NSE at 10:23
Completed NSE at 10:23, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.61 seconds

[Michael B. Smith]

Argh.

 

You have two certificates there.

 

Everything else being equal, the one with the furthest future expiration date wins. Try using it instead.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, July 29, 2022 10:17 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

On Thu, Jul 28, 2022 at 5:02 PM Kurt Buff <kurt...@gmail.com> wrote:

 

 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiSkx%3DhBfGt5_uX1RHxQ92RO76MEUQzh96Ce4gua%3DtLEA%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 10:25 AM Michael B. Smith <mic...@smithcons.com> wrote:

Argh.

 

You have two certificates there.

All the DCs have 2 certs. :-) The second one is  a cert issued in the name of "ldap.wrk.ads.pha.phila.gov". It has SANs of all the DCs, and I have a DNS alias so that "ldap.wrk.ads.pha.phila.gov" has all the IPs of all the DCs. This way, I can abstract it, and all LDAP calls can go to a single URL, but any DC can service it. (we apparently have apps that insist on a single hostname as an LDAP target, so I couldn't just use the domain wrk.ads.pha.phila.gov entry. 

The Win 2012 R2 are fine with it, as is 1 of the Win 2019s.

 

Everything else being equal, the one with the furthest future expiration date wins. Try using it instead.

Nothing. Probably because the hostname is resolving to one of the Win 2019 DCs ...

LDAP URL = LDAP://ldap.wrk.ads.pha.phila.gov:636
Resolve-DnsNme

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
ldap.wrk.ads.pha.phila.gov                     A      3600  Answer     10.64.7.55
ldap.wrk.ads.pha.phila.gov                     A      3600  Answer     10.64.7.43
ldap.wrk.ads.pha.phila.gov                     A      3600  Answer     10.64.7.62
ldap.wrk.ads.pha.phila.gov                     A      3600  Answer     10.64.7.95
ldap.wrk.ads.pha.phila.gov                     A      3600  Answer     10.64.7.94

AuthenticationType :
Children           :
Guid               :
ObjectSecurity     :
Name               :
NativeGuid         :
NativeObject       :
Parent             :
Password           :
Path               :
Properties         :
SchemaClassName    :
SchemaEntry        :
UsePropertyCache   :
Username           :
Options            :
Site               :
Container          :

..

I can try removing the cert from that DC, and trying again ....

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/761ce8eebd31461ebe878f3027eecaeb%40smithcons.com.

[Michael B. Smith]

Yes, give it a go.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bg5heKoO5paN75_LS-tY6WVaRbQBw4TEYNDUGgQaWjSuw%40mail.gmail.com.

[James Iversen]

HAPPY SYSADMIN

HAPPY SYSADMIN DAY!!!

https://serverfault.com/questions/437797/active-directory-dns-srv-records-for-ldaps


But, looks like they're taking the holiday ;-)

From:        "Michael B. Smith" <mic...@smithcons.com>
To:        "ntsys...@googlegroups.com" <ntsys...@googlegroups.com>
Date:        07/29/2022 10:39 AM
Subject:        RE: [ntsysadmin] Need some advice on setting up LDAPS
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

Yes, give it a go.

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8b2a847324ac433aaa42e9a267dde701%40smithcons.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 10:39 AM Michael B. Smith <mic...@smithcons.com> wrote:

Yes, give it a go.

Now we're cooking!

PS C:\PHA Scripts> .\Check-LDAPS.PS1

LDAP URL = LDAP://dc1wrk011.wrk.ads.pha.phila.gov:636

Resolve-DnsNme

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------

dc1wrk011.wrk.ads.pha.phila.gov                A      3600  Answer     10.64.7.55




objectClass                                 : {top, domain, domainDNS}
description                                 : {The "Working" domain}
distinguishedName                           : {DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov}
instanceType                                : {13}
whenCreated                                 : {8/7/2003 11:33:07 PM}
whenChanged                                 : {7/29/2022 3:04:57 AM}
subRefs                                     : {DC=DomainDnsZones,DC=wrk,DC=ads,DC=pha,DC=phila,DC=gov}

uSNCreated                                  : {System.__ComObject}

Z:\>nmap -v -p 636 -sV --script ssl-cert 10.64.7.55
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-29 10:48 Eastern Daylight Time
NSE: Loaded 46 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed
Initiating ARP Ping Scan at 10:48
Scanning 10.64.7.55 [1 port]
Completed ARP Ping Scan at 10:48, 0.09s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:48
Completed Parallel DNS resolution of 1 host. at 10:48, 0.00s elapsed
Initiating SYN Stealth Scan at 10:48

Scanning DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55) [1 port]
Discovered open port 636/tcp on 10.64.7.55

Completed SYN Stealth Scan at 10:48, 0.00s elapsed (1 total ports)
Initiating Service scan at 10:48

Scanning 1 service on DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55)

Completed Service scan at 10:48, 17.15s elapsed (1 service on 1 host)
NSE: Script scanning 10.64.7.55.
Initiating NSE at 10:48
Completed NSE at 10:48, 0.01s elapsed
Initiating NSE at 10:48
Completed NSE at 10:48, 0.03s elapsed

Nmap scan report for DC1WRK011.wrk.ads.pha.phila.gov (10.64.7.55)

Host is up (0.00088s latency).

PORT    STATE SERVICE  VERSION
636/tcp open  ssl/ldap
| ssl-cert: Subject: commonName=DC1WRK011.wrk.ads.pha.phila.gov
| Subject Alternative Name: DNS:DC1WRK011.wrk.ads.pha.phila.gov, DNS:DC1WRK011, IP Address:10.64.7.55
| Issuer: commonName=DCTRCERT002
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2022-03-04T19:32:44
| Not valid after:  2027-03-04T19:42:44
| MD5:   119a c054 1447 8e21 9b07 2fbc bde7 164f
| SHA-1: d5f7 2b83 2102 728c a06c 1c18 f2b4 2f1e 271f 6f0f
| -----BEGIN CERTIFICATE-----

|_-----END CERTIFICATE-----

MAC Address: 00:50:56:A2:02:69 (VMware)

NSE: Script Post-scanning.

Initiating NSE at 10:48
Completed NSE at 10:48, 0.01s elapsed
Initiating NSE at 10:48
Completed NSE at 10:48, 0.00s elapsed

Read data files from: C:\Program Files (x86)\Nmap

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 18.77 seconds

           Raw packets sent: 2 (72B) | Rcvd: 2 (72B)

So it's that second cert. OK, I can delete it from all the DCs. I guess eventually I'll have to figure out some other way doing secure LDAP for that annoying Ciso app that wants a specific hostname for LDAP, rather than a generic DNS alias or the AD domain name ...

If you've got ideas on how to do that (use a generic alias for Secure LDAP, rather than a single hostname or AD domain name), I'm all ears ...

Great! That helps a lot. 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/8b2a847324ac433aaa42e9a267dde701%40smithcons.com.

[James Iversen]

Before you delete that cert, make sure your KDC isn't using it...

From:        "Mike Leone" <tur...@mike-leone.com>
To:        ntsys...@googlegroups.com
Date:        07/29/2022 10:52 AM
Subject:        Re: [ntsysadmin] Need some advice on setting up LDAPS

Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjmXA6gwvOsHyH7O6t%3DdMWisntzr860dQ7FX-kvXYEWEw%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 10:53 AM James Iversen <JIve...@nycm.com> wrote:

Before you delete that cert, make sure your KDC isn't using it...

Too late ... I only deleted it from 1 DC, it's still out on all the others.

How do I tell what cert my KDC is using?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OF67FDCB60.5B0C264D-ON8525888E.0051C974-8525888E.0051D758%40nycm.com.

[Michael B. Smith]

Probably something wrong with the cert. 😊 Because I have that configuration in my test environment and it works fine.

 

Now that I look more closely, it appears that you forgot to export & import the private key. Is that accurate?

 

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjmXA6gwvOsHyH7O6t%3DdMWisntzr860dQ7FX-kvXYEWEw%40mail.gmail.com.

[James Iversen]

Navigate to the logs

Navigate to the Event viewer on the DC...

Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational

Daily the KDC verifies the cert used is valid...

Event ID 302

If errors, maybe re-issue your cert is in order.

Join us on Facebook at

www.facebook.com/NYCMInsurance.

***CONFIDENTIALITY NOTICE***

This email and any attachments to it are confidential and intended solely for the individual or entity to whom it is addressed. Any unauthorized review, use, disclosure or distribution is prohibited. If you have received this email in error, please contact the sender by reply email and destroy all copies of the original message.

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/OF67FDCB60.5B0C264D-ON8525888E.0051C974-8525888E.0051D758%40nycm.com.

--

Mike. Leone, <mailto:tur...@mike-leone.com>

PGP Fingerprint: 0AA8 DC47 CB63 AE3F C739 6BF9 9AB4 1EF6 5AA5 BCDF
Photo Gallery: <http://www.flickr.com/photos/mikeleonephotos>

This space reserved for future witticisms ...

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bhfqs2O_Rfa94EiF%2Brj3wQyc3ar-vtyAfhSLeXBAokq9g%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 10:56 AM Michael B. Smith <mic...@smithcons.com> wrote:

Probably something wrong with the cert. 😊 Because I have that configuration in my test environment and it works fine.

 

Now that I look more closely, it appears that you forgot to export & import the private key. Is that accurate?

 

On the cert issued in the name of the alias? I didn't generate it on this DC, I don't think. I just imported it into the store on all the DCs. At this point, I honestly don't remember which DC I generated that CSR on .. I'm not sure where the private key is, to be honest ...

Obviously, I've set that cert up wrong. So I can just delete it on all the DCs, and revoke the cert, and start over. Just not sure how to avoid this problem in future ....

[Michael B. Smith]

Export and import the private key. 😊

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, July 29, 2022 11:02 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

On Fri, Jul 29, 2022 at 10:56 AM Michael B. Smith <mic...@smithcons.com> wrote:

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bh%2BvMx1waOaAU3xAiNYLOOidM1zfAVL%2BHBvGVt0d%3DqdJw%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 11:01 AM James Iversen <JIve...@nycm.com> wrote:

Navigate to the logs

Navigate to the Event viewer on the DC...

Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational

Daily the KDC verifies the cert used is valid...

Event ID 302

If errors, maybe re-issue your cert is in order.

No entries in that event log on this DC at all, completely empty ...

So I guess that's good? LOL

[James Iversen]

Enable the log and restart your KDC service.

From:        "Mike Leone" <tur...@mike-leone.com>
To:        ntsys...@googlegroups.com
Date:        07/29/2022 11:04 AM
Subject:        Re: [ntsysadmin] Need some advice on setting up LDAPS
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2Bj8vjxNR2WEKy%3DsoAU_c3DjHUTGDUJouMJzTaQJ8rsGnA%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 11:03 AM Michael B. Smith <mic...@smithcons.com> wrote:

Export and import the private key. 😊

From where? My certificate server? I've never had to do anything like that before. Do I then import the key on all the DCs??

[Mike Leone]

On Fri, Jul 29, 2022 at 11:05 AM James Iversen <JIve...@nycm.com> wrote:

Enable the log and restart your KDC service.

Log Name:      Microsoft-Windows-Kerberos-Key-Distribution-Center/Operational
Source:        Microsoft-Windows-Kerberos-Key-Distribution-Center
Date:          7/29/2022 11:07:53 AM
Event ID:      200
Task Category: KDC
Level:         Warning
Keywords:      
User:          SYSTEM
Computer:      DC1WRK011.wrk.ads.pha.phila.gov
Description:
The Key Distribution Center (KDC) cannot find a suitable certificate to use. This KDC is not enabled for smart card or certificate authentication.

Which would be correct, as none of the certs on any DC has "Smart Card" in the Extended Key Usage ... Probably because we don't use smart cards ... LOL

 

[James Iversen]

Back to my original response of:

From:        "Mike Leone" <tur...@mike-leone.com>
To:        ntsys...@googlegroups.com
Date:        07/29/2022 11:10 AM
Subject:        Re: [ntsysadmin] Need some advice on setting up LDAPS
Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BiNauagi8PfwTqwWvYiLjKWs0amq9xdpEAGdfL4pVzHXA%40mail.gmail.com.

[Michael B. Smith]

The key is included in the PFX file when you do the export. Whether to include the private key is one of the options in the export wizard.

 

If you export it, it’s automatically imported.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, July 29, 2022 11:06 AM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

On Fri, Jul 29, 2022 at 11:03 AM Michael B. Smith <mic...@smithcons.com> wrote:

Export and import the private key. 😊

 

From where? My certificate server? I've never had to do anything like that before. Do I then import the key on all the DCs??

 

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BgVcdwKWUiZZMVPUCpXVC0qYR9Ua97MzUWMF4oJQhHcMw%40mail.gmail.com.

[Mike Leone]

On Fri, Jul 29, 2022 at 10:51 AM James Iversen <JIve...@nycm.com> wrote:

HAPPY SYSADMIN

HAPPY SYSADMIN DAY!!!

https://serverfault.com/questions/437797/active-directory-dns-srv-records-for-ldaps

It's back. But the app in question (some Cisco telecom software) apparently isn't aware enough to do a DNS lookup for SRV records. The developer tells me he needs a specific hostname, that he can't use just the domain name.  I can ask him to check again, but he tells me he has to restart the app, whenever he makes changes like that, which then interrupts our phone system. I dunno if I buy that, or he's just not understanding something ...'

[Michael B. Smith]

It’s very likely that it only does the DNS client lookup once – during program initialization.

 

Which is crappy programming technique, but very common.

 

From: ntsys...@googlegroups.com <ntsys...@googlegroups.com> On Behalf Of Mike Leone
Sent: Friday, July 29, 2022 2:49 PM
To: ntsys...@googlegroups.com
Subject: Re: [ntsysadmin] Need some advice on setting up LDAPS

 

On Fri, Jul 29, 2022 at 10:51 AM James Iversen <JIve...@nycm.com> wrote:

--

You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjPXHOvt8tuQgNYtMrpixMOnkoGyyJxRAh%2BwRMW358Z1w%40mail.gmail.com.

[James Iversen]

You can craft a new Kerberos Certificate Template to include a namespace\cname supplied in DNS.

I made one called "TheDomain" so I can ping the domain :-) Gawd, I'm such a freakin nerd...

Anyway, you could create a cname ldaps..wrk.ads.pha.phila.gov with CN=ldaps in SAN of a new cert..

Otherwise, you'll be stuck with providing one DC name to your Cisco device.

I know Cisco stuff communicating over tls uses specific names.

Also, some Cisco stuff is AD aware as accounts are created by some kind of join process.

I've seen some weirdness from time to time with them here.

Have a great weekend SysAdmins!

From:        "Mike Leone" <tur...@mike-leone.com>
To:        ntsys...@googlegroups.com

Date:        07/29/2022 02:49 PM
Subject:        Re: [ntsysadmin] Need some advice on setting up LDAPS

Sent by:        ntsys...@googlegroups.com

---

---

ATTENTION: This email was sent from someone outside of NYCM.

---

 

--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ntsysadmin+...@googlegroups.com

.
To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/CAHBr%2B%2BjPXHOvt8tuQgNYtMrpixMOnkoGyyJxRAh%2BwRMW358Z1w%40mail.gmail.com.

[Mike Leone]

Thanks, that seemed to do it. I exported the key into a PFX, deleted the cert out of all the other DCs, re-imported the cert from the PFX (so it has a key), and now my LDAPS checking using the name in the subject of that cert seems to all work OK!

To view this discussion on the web visit https://groups.google.com/d/msgid/ntsysadmin/03bd91743f55426b9ce6cecd52c731c7%40smithcons.com.