Furthermore the current implementation of wldap32 in Windows Server 2003
SP1 does not request that the certificate be verified.  This has been
changed in a QFE for Windows Server 2003 SP1 and will be addressed in
the next service pack for Windows Server 2003, SP2.  So you may see a
change in behavior going forward at least on the server platform.

Thanks,

-Steve


-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Laura A.
Robinson
Sent: Wednesday, August 23, 2006 9:27 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside -->
problem solved

Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003
do.
However, there are behavior variances on an application-by-application
basis. For more information:
http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl
.msp
x#ES3AE

Laura
 

> -----Original Message-----
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan
> Sent: Wednesday, August 23, 2006 10:06 PM
> To: ActiveDir@mail.activedir.org
> Subject: Re: [ActiveDir] Secure LDAP queries from the outside
> --> problem solved
> 
> It actually depends on the policy defined for the SSL stack.  
> In Windows, this is typically configured globally for all SSL, 
> although I'm not sure where.  It definiitely used to be the case that 
> Windows that CRLs were never checked, but I have seen some other SSL 
> stuff with HTTP actually checking the CRL on 2K3 servers.
> 
> It is also possible in SSPI with Schannel to ignore specific 
> conditions, so this could be something that is ignored in the default 
> LDAP SSL routine in Windows, but I doubt it.  The callback function 
> for server certificate verification will give you the error code if 
> there is a problem and the client can then deal with it as it sees 
> fit.
> 
> CRLs can definitely be trouble though.  They are by far the most 
> vexing thing to troubleshoot in SSL, and PKI in general.
> 
> Joe
> 
> ----- Original Message -----
> From: "Thommes, Michael M." <[EMAIL PROTECTED]>
> To: <ActiveDir@mail.activedir.org>
> Sent: Wednesday, August 23, 2006 8:37 PM
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> --> problem solved
> 
> 
> Hi joe,
>     The CRL location is *not* available from the outside.  
> And since neither adfind, ldp or Outlook Express seemed to care, I am 
> guessing that not many
> (any?) tools require it.  Kinda makes ya wonder why you would have it 
> if it's not used.  Sorta like not using the book of bad credit card 
> numbers when someone handed you a credit card!  (maybe some of you are

> old enough to remember this safeguard before there were computers 
> everywhere!  LOL!).
> 
> Mike Thommes
> 
> ________________________________
> 
> From: [EMAIL PROTECTED] on behalf of joe
> Sent: Wed 8/23/2006 7:15 PM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> --> problem solved
> 
> 
> Cool, is the CRL available from the outside at all? I am really 
> curious if that is truly needed from the client when using LDAPS, it 
> doesn't seem to be needed but my testing has been far from perfect in 
> that regard.
> 
>   joe
> 
> --
> O'Reilly Active Directory Third Edition - 
> http://www.joeware.net/win/ad3e.htm
> 
> 
> 
> ________________________________
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
> Michael M.
> Sent: Wednesday, August 23, 2006 8:06 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> --> problem
> solved
> 
> 
> 
> Thanks to all who responded!  The problem was solved by installing our

> local root CA cert on the "outside" computer since we are "rolling our

> own" and not using one of the well known CAs (Trusted Root 
> Certification Authorities).
> 
> 
> 
> Mike Thommes
> 
> 
> 
> ________________________________
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, 
> Michael M.
> Sent: Tuesday, August 22, 2006 9:36 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> 
> 
> 
> Hi Robert,
> 
>     Yes, the command is *exactly* the same.  We are thinking that our 
> CRL location is not available outside of the firewall.  We generate 
> our own certificates; we don't use a "well known" provider.
> 
> 
> 
> Mike Thommes
> 
> 
> 
> ________________________________
> 
> From: [EMAIL PROTECTED]
> [mailto:[EMAIL PROTECTED] On Behalf Of Williams, 
> Robert
> Sent: Tuesday, August 22, 2006 9:16 AM
> To: ActiveDir@mail.activedir.org
> Subject: RE: [ActiveDir] Secure LDAP queries from the outside
> 
> 
> 
> Hey Mike,
> 
> 
> 
> When you say "It works fine behind our firewall", are you meaning that

> the *exact same* command line works and you get the object returned?
> 
> 
> 
> I tried using adfind to connect to my test DC using port 636 
> and got the 
> exact same error...but I don't have a cert installed on my DC 
> so I'd expect 
> mine not to work.
> 
> Robert Williams
> 
> ________________________________
> 
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of 
> Thommes, Michael M.
> Sent: Tuesday, August 22, 2006 6:19 AM
> To: ActiveDir@mail.activedir.org
> Subject: [ActiveDir] Secure LDAP queries from the outside
> 
> 
> 
> Hi,
> 
>    We are trying to set up secure LDAP queries from the 
> outside to AD for 
> pulling email addresses but are running into an issue.  Port 
> 636 has been 
> opened up to our DCs but we get a 0x51 error like the one 
> shown below in 
> this example of using "adfind":
> 
> 
> 
> adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *  -default 
> -nodn -f 
> sn=thommes extensionAttribute2
> 
> 
> 
> AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
> 
> 
> 
> LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down
> 
> Terminating program.
> 
> 
> 
> (extensionAttribute2 is used for email address)
> 
> 
> 
> Portqry shows that the DC is listening on port 636.  Using 
> "ldp", the bind 
> operation seems to want to default to port 389 (which is not open).
> 
> 
> 
> It works fine behind our firewall.  Is there some other port 
> that needs to 
> be open (besides 389)?  Or maybe some security feature (we 
> are running 
> w2k3/sp1 on our DCs) that is getting in the way?  Any help is 
> appreciated!
> 
> 
> 
> TIA,
> 
> Mike Thommes
> 
> 
> 
> 
> 
> 2006-08-22, 10:35:32
> The information contained in this e-mail message and any 
> attachments may be 
> privileged and confidential. If the reader of this message is not the 
> intended recipient or an agent responsible for delivering it 
> to the intended 
> recipient, you are hereby notified that any review, dissemination, 
> distribution or copying of this communication is strictly 
> prohibited. If you 
> have received this communication in error, please notify the sender 
> immediately by replying to this e-mail and delete the message and any 
> attachments from your computer.
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx 
> 
> List info   : http://www.activedir.org/List.aspx
> List FAQ    : http://www.activedir.org/ListFAQ.aspx
> List archive: http://www.activedir.org/ml/threads.aspx

List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info   : http://www.activedir.org/List.aspx
List FAQ    : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx

Reply via email to