Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform.
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > ----- Original Message ----- > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by installing our > local root CA cert on the "outside" computer since we are "rolling our > own" and not using one of the well known CAs (Trusted Root > Certification Authorities). > > > > Mike Thommes > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking that our > CRL location is not available outside of the firewall. We generate > our own certificates; we don't use a "well known" provider. > > > > Mike Thommes > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Williams, > Robert > Sent: Tuesday, August 22, 2006 9:16 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hey Mike, > > > > When you say "It works fine behind our firewall", are you meaning that > the *exact same* command line works and you get the object returned? > > > > I tried using adfind to connect to my test DC using port 636 > and got the > exact same error...but I don't have a cert installed on my DC > so I'd expect > mine not to work. > > Robert Williams > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of > Thommes, Michael M. > Sent: Tuesday, August 22, 2006 6:19 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Secure LDAP queries from the outside > > > > Hi, > > We are trying to set up secure LDAP queries from the > outside to AD for > pulling email addresses but are running into an issue. Port > 636 has been > opened up to our DCs but we get a 0x51 error like the one > shown below in > this example of using "adfind": > > > > adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default > -nodn -f > sn=thommes extensionAttribute2 > > > > AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 > > > > LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down > > Terminating program. > > > > (extensionAttribute2 is used for email address) > > > > Portqry shows that the DC is listening on port 636. Using > "ldp", the bind > operation seems to want to default to port 389 (which is not open). > > > > It works fine behind our firewall. Is there some other port > that needs to > be open (besides 389)? Or maybe some security feature (we > are running > w2k3/sp1 on our DCs) that is getting in the way? Any help is > appreciated! > > > > TIA, > > Mike Thommes > > > > > > 2006-08-22, 10:35:32 > The information contained in this e-mail message and any > attachments may be > privileged and confidential. If the reader of this message is not the > intended recipient or an agent responsible for delivering it > to the intended > recipient, you are hereby notified that any review, dissemination, > distribution or copying of this communication is strictly > prohibited. If you > have received this communication in error, please notify the sender > immediately by replying to this e-mail and delete the message and any > attachments from your computer. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx