Not sure on if it will be configurable I just happened to run across it on something else I was working on and saw the change request. I would imagine that it will not be configurable as the intended behavior was to check the CRL especially since sensitive operations such as password resets are generally going over LDAPS. However someone who is beta testing Windows Server 2003 SP2 as a customer could verify that the change occurred and then provide feedback if it was undesirable.
Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 23, 2006 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a "turn on this reg key to enable this" or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura > -----Original Message----- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan > Sent: Wednesday, August 23, 2006 10:06 PM > To: ActiveDir@mail.activedir.org > Subject: Re: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > It actually depends on the policy defined for the SSL stack. > In Windows, this is typically configured globally for all SSL, > although I'm not sure where. It definiitely used to be the case that > Windows that CRLs were never checked, but I have seen some other SSL > stuff with HTTP actually checking the CRL on 2K3 servers. > > It is also possible in SSPI with Schannel to ignore specific > conditions, so this could be something that is ignored in the default > LDAP SSL routine in Windows, but I doubt it. The callback function > for server certificate verification will give you the error code if > there is a problem and the client can then deal with it as it sees > fit. > > CRLs can definitely be trouble though. They are by far the most > vexing thing to troubleshoot in SSL, and PKI in general. > > Joe > > ----- Original Message ----- > From: "Thommes, Michael M." <[EMAIL PROTECTED]> > To: <ActiveDir@mail.activedir.org> > Sent: Wednesday, August 23, 2006 8:37 PM > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Hi joe, > The CRL location is *not* available from the outside. > And since neither adfind, ldp or Outlook Express seemed to care, I am > guessing that not many > (any?) tools require it. Kinda makes ya wonder why you would have it > if it's not used. Sorta like not using the book of bad credit card > numbers when someone handed you a credit card! (maybe some of you are > old enough to remember this safeguard before there were computers > everywhere! LOL!). > > Mike Thommes > > ________________________________ > > From: [EMAIL PROTECTED] on behalf of joe > Sent: Wed 8/23/2006 7:15 PM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem solved > > > Cool, is the CRL available from the outside at all? I am really > curious if that is truly needed from the client when using LDAPS, it > doesn't seem to be needed but my testing has been far from perfect in > that regard. > > joe > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Wednesday, August 23, 2006 8:06 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > --> problem > solved > > > > Thanks to all who responded! The problem was solved by installing our > local root CA cert on the "outside" computer since we are "rolling our > own" and not using one of the well known CAs (Trusted Root > Certification Authorities). > > > > Mike Thommes > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Tuesday, August 22, 2006 9:36 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hi Robert, > > Yes, the command is *exactly* the same. We are thinking that our > CRL location is not available outside of the firewall. We generate > our own certificates; we don't use a "well known" provider. > > > > Mike Thommes > > > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Williams, > Robert > Sent: Tuesday, August 22, 2006 9:16 AM > To: ActiveDir@mail.activedir.org > Subject: RE: [ActiveDir] Secure LDAP queries from the outside > > > > Hey Mike, > > > > When you say "It works fine behind our firewall", are you meaning that > the *exact same* command line works and you get the object returned? > > > > I tried using adfind to connect to my test DC using port 636 and got > the exact same error...but I don't have a cert installed on my DC so > I'd expect mine not to work. > > Robert Williams > > ________________________________ > > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, > Michael M. > Sent: Tuesday, August 22, 2006 6:19 AM > To: ActiveDir@mail.activedir.org > Subject: [ActiveDir] Secure LDAP queries from the outside > > > > Hi, > > We are trying to set up secure LDAP queries from the outside to AD > for pulling email addresses but are running into an issue. Port > 636 has been > opened up to our DCs but we get a 0x51 error like the one shown below > in this example of using "adfind": > > > > adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f > sn=thommes extensionAttribute2 > > > > AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 > > > > LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down > > Terminating program. > > > > (extensionAttribute2 is used for email address) > > > > Portqry shows that the DC is listening on port 636. Using > "ldp", the bind > operation seems to want to default to port 389 (which is not open). > > > > It works fine behind our firewall. Is there some other port > that needs to > be open (besides 389)? Or maybe some security feature (we > are running > w2k3/sp1 on our DCs) that is getting in the way? Any help is > appreciated! > > > > TIA, > > Mike Thommes > > > > > > 2006-08-22, 10:35:32 > The information contained in this e-mail message and any > attachments may be > privileged and confidential. If the reader of this message is not the > intended recipient or an agent responsible for delivering it > to the intended > recipient, you are hereby notified that any review, dissemination, > distribution or copying of this communication is strictly > prohibited. If you > have received this communication in error, please notify the sender > immediately by replying to this e-mail and delete the message and any > attachments from your computer. > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx > > List info : http://www.activedir.org/List.aspx > List FAQ : http://www.activedir.org/ListFAQ.aspx > List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
