RE: [ActiveDir] Secure LDAP queries from the outside

[joe]

I hate troubleshooting SSL but here it goes...   First, have you installed the Cert Chain on the machine you are querying AD from?   Second, is the DNS name of the DC you querying exactly what is in the DCs cert?   I don't think you need anything open other than 636. The way the MSFT LDAP API works if you specify 636 it will attempt an SSL connection even if not explicity specified, however, try adding the -ssl switch to adfind.    The main thing you want to do is get a trace and see where it is failing at. The sequence will be something like   Client-> Server TCP     LDAPS SYN  Server-> Client TCP     LDAPS SYN, ACK Client-> Server TCP     LDAPS ACK Client-> Server SSLV2   LDAPS Client Hello Server->Client  TCP     LDAPS one or more packets in response Client-> Server TCP     LDAPS ACK Server->Client  TCP     LDAPS one or more packets Server->Client  TLS     LDAPS Server Hello, Certificate, Certificate Request, Server Hello Done Client-> Server TCP     LDAPS ACK Client-> Server TLS     LDAPS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message Server->Client  TLS     LDAPS Change Cypher Spec, Encrypted Handshake Message ...then you will see TLS Application Data packets...     Now if you don't have the the DNS hostname right or don't have the Cert chain on the local machine you will see (or least I always recall seeing) something like   Client-> Server TCP     LDAPS SYN  Server-> Client TCP     LDAPS SYN, ACK Client-> Server TCP     LDAPS ACK Client-> Server SSLV2   LDAPS Client Hello Server->Client  TCP     LDAPS one or more packets in response Client-> Server TCP     LDAPS ACK Server->Client  TCP     LDAPS one or more packets Server->Client  TLS     LDAPS Server Hello, Certificate, Certificate Request, Server Hello Done Client-> Server TCP     LDAPS ACK Client-> Server TCP     LDAPS RST,ACK     I could easily be wrong as I am not a SSL kind of guy but I am not positive if the CRL is required for this communication. I know I have seen this work without a current or in fact any CRL from the authority on the client side.      joe       -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm      From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 7:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi,    We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue.  Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”:   adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *  -default -nodn -f sn=thommes extensionAttribute2   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program.   (extensionAttribute2 is used for email address)   Portqry shows that the DC is listening on port 636.  Using “ldp”, the bind operation seems to want to default to port 389 (which is not open).   It works fine behind our firewall.  Is there some other port that needs to be open (besides 389)?  Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way?  Any help is appreciated!   TIA, Mike Thommes