Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl.msp x#ES3AE
Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all > SSL, although I'm not sure where. It definiitely used to be > the case that Windows that CRLs were never checked, but I > have seen some other SSL stuff with HTTP actually checking > the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the > default LDAP SSL routine in Windows, but I doubt it. The > callback function for server certificate verification will > give you the error code if there is a problem and the client > can then deal with it as it sees fit. > > CRLs can definitely be trouble though. They are by far the > most vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > ----- Original Message ----- > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to > care, I am guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would > have it if it's not used. Sorta like not using the book of > bad credit card numbers when someone handed you a credit > card! (maybe some of you are old enough to remember this > safeguard before there were computers everywhere! LOL!). > > Mike Thommes > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am > really curious if > that is truly needed from the client when using LDAPS, it > doesn't seem to be > needed but my testing has been far from perfect in that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by > installing our local > root CA cert on the "outside" computer since we are "rolling > our own" and > not using one of the well known CAs (Trusted Root Certification > Authorities). > > > > Mike Thommes > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking > that our CRL > location is not available outside of the firewall. We > generate our own > certificates; we don't use a "well known" provider. > > > > Mike Thommes > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Williams, Robert > Sent: Tuesday, August 22, 2006 9:16 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hey Mike, > > > > When you say "It works fine behind our firewall", are you > meaning that the > *exact same* command line works and you get the object returned? > > > > I tried using adfind to connect to my test DC using port 636 > and got the > exact same error...but I don't have a cert installed on my DC > so I'd expect > mine not to work. > > Robert Williams > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Tuesday, August 22, 2006 6:19 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Secure LDAP queries from the outside > > > > Hi, > > We are trying to set up secure LDAP queries from the > outside to AD for > pulling email addresses but are running into an issue. Port > 636 has been > opened up to our DCs but we get a 0x51 error like the one > shown below in > this example of using "adfind": > > > > adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default > -nodn -f > sn=thommes extensionAttribute2 > > > > AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 > > > > LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down > > Terminating program. > > > > (extensionAttribute2 is used for email address) > > > > Portqry shows that the DC is listening on port 636. Using > "ldp", the bind > operation seems to want to default to port 389 (which is not open). > > > > It works fine behind our firewall. Is there some other port > that needs to > be open (besides 389)? Or maybe some security feature (we > are running > w2k3/sp1 on our DCs) that is getting in the way? Any help is > appreciated! > > > > TIA, > > Mike Thommes > > > > > > 2006-08-22, 10:35:32 > The information contained in this e-mail message and any > attachments may be > privileged and confidential. If the reader of this message is not the > intended recipient or an agent responsible for delivering it > to the intended > recipient, you are hereby notified that any review, dissemination, > distribution or copying of this communication is strictly > prohibited. If you > have received this communication in error, please notify the sender > immediately by replying to this e-mail and delete the message and any > attachments from your computer. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
