RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
I hope this will be configurable, if not in the GUI then through a registry key which is published in the MSKB, Andrew Fidel Steve Linehan [EMAIL PROTECTED] Sent by: [EMAIL PROTECTED] 08/23/2006 10:37 PM Please respond to ActiveDir@mail.activedir.org To ActiveDir@mail.activedir.org cc Subject RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Thanks Steve. joe -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Thursday, August 24, 2006 12:10 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Not sure on if it will be configurable I just happened to run across it on something else I was working on and saw the change request. I would imagine that it will not be configurable as the intended behavior was to check the CRL especially since sensitive operations such as password resets are generally going over LDAPS. However someone who is beta testing Windows Server 2003 SP2 as a customer could verify that the change occurred and then provide feedback if it was undesirable. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 23, 2006 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a turn on this reg key to enable this or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Wednesday, August 23, 2006 8:06 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 9:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer. List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved
It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl.msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we don't use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error...but I don't have a cert installed on my DC so I'd expect mine not to work. Robert Williams From: [EMAIL
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a turn on this reg key to enable this or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Thanks to all who responded! The problem was solved by installing our local root CA cert on the outside computer since we are rolling our own and not using one of the well known CAs (Trusted Root Certification Authorities). Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own
RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved
Not sure on if it will be configurable I just happened to run across it on something else I was working on and saw the change request. I would imagine that it will not be configurable as the intended behavior was to check the CRL especially since sensitive operations such as password resets are generally going over LDAPS. However someone who is beta testing Windows Server 2003 SP2 as a customer could verify that the change occurred and then provide feedback if it was undesirable. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe Sent: Wednesday, August 23, 2006 10:38 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Oh this could catch some folks by surprise... Out of curiosity, is it implemented with a turn on this reg key to enable this or will it just occur? I prefer it be something admins turn on, otherwise it will catch people by surprise like the SP1 Service Control Manager ACL. And if it there isn't a reg entry to turn it on, can we have a reg entry to turn it off or do we wait until SP3? :) joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Linehan Sent: Wednesday, August 23, 2006 10:37 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Furthermore the current implementation of wldap32 in Windows Server 2003 SP1 does not request that the certificate be verified. This has been changed in a QFE for Windows Server 2003 SP1 and will be addressed in the next service pack for Windows Server 2003, SP2. So you may see a change in behavior going forward at least on the server platform. Thanks, -Steve -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Laura A. Robinson Sent: Wednesday, August 23, 2006 9:27 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Windows 2000 RTM, by default, does not perform CRL checking; XP and 2003 do. However, there are behavior variances on an application-by-application basis. For more information: http://www.microsoft.com/technet/security/topics/cryptographyetc/tshtcrl .msp x#ES3AE Laura -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Joe Kaplan Sent: Wednesday, August 23, 2006 10:06 PM To: ActiveDir@mail.activedir.org Subject: Re: [ActiveDir] Secure LDAP queries from the outside -- problem solved It actually depends on the policy defined for the SSL stack. In Windows, this is typically configured globally for all SSL, although I'm not sure where. It definiitely used to be the case that Windows that CRLs were never checked, but I have seen some other SSL stuff with HTTP actually checking the CRL on 2K3 servers. It is also possible in SSPI with Schannel to ignore specific conditions, so this could be something that is ignored in the default LDAP SSL routine in Windows, but I doubt it. The callback function for server certificate verification will give you the error code if there is a problem and the client can then deal with it as it sees fit. CRLs can definitely be trouble though. They are by far the most vexing thing to troubleshoot in SSL, and PKI in general. Joe - Original Message - From: Thommes, Michael M. [EMAIL PROTECTED] To: ActiveDir@mail.activedir.org Sent: Wednesday, August 23, 2006 8:37 PM Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Hi joe, The CRL location is *not* available from the outside. And since neither adfind, ldp or Outlook Express seemed to care, I am guessing that not many (any?) tools require it. Kinda makes ya wonder why you would have it if it's not used. Sorta like not using the book of bad credit card numbers when someone handed you a credit card! (maybe some of you are old enough to remember this safeguard before there were computers everywhere! LOL!). Mike Thommes From: [EMAIL PROTECTED] on behalf of joe Sent: Wed 8/23/2006 7:15 PM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside -- problem solved Cool, is the CRL available from the outside at all? I am really curious if that is truly needed from the client when using LDAPS, it doesn't seem to be needed but my testing has been far from perfect in that regard. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Wednesday, August 23, 2006 8:06 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir
[ActiveDir] Secure LDAP queries from the outside
Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes
Re: [ActiveDir] Secure LDAP queries from the outside
Check the firewall rules to ensure they are correct. Are the packets even getting to the DC? Personally I doubt it. M@ On 8/22/06, Thommes, Michael M. [EMAIL PROTECTED] wrote: Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside
Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Secure LDAP queries from the outside
Thommes, Michael M. wrote: Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”: listening network traffic should give You an answer to this question. Do you have root CA certificate installed on this machine, maybe there is a problem with validating DC CA Have You tried to connect to this DC with LDP.EXE - I'm not saying that joe's adfind is worst but maybe You will get some more error messages, but I think Your first approach should be to capture the traffic and check it -- Tomasz Onyszko http://www.w2k.pl/blog/ - (PL) http://blogs.dirteam.com/blogs/tomek/ - (EN) List info : http://www.activedir.org/List.aspx List FAQ: http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
RE: [ActiveDir] Secure LDAP queries from the outside
Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
RE: [ActiveDir] Secure LDAP queries from the outside
Mike, Ive been thinking of this answer for a bit but had to research more to get the info I needed. I wish my knowledge of Certificates was better, but it would seem there is a way to have the client log something somewhere saying it cant get to the CRL.maybe one of the smart folks will speak up J If your external client cant get to the CRL, you could possibly bring the CRL to the external clientMaybe you could publish the CRL to an alternate location which the client can get to? If thats not possible which makes sense, maybe you can set up your CA to publish the CRL to another location and then take that CRL and copy it to the location on the client where the CRL is cached. This is the information Ive been hunting for the past 20 minutes or soI think you can read about it here: http://www.microsoft.com/technet/prodtechnol/winxppro/support/tshtcrl.mspx SNIP Certificates are cached when CryptoAPI retrieves them from a certificate store or a URL. The cache location varies depending on the source where a certificate or a CRL was retrieved. A certificate or a CRL can exist in one or several of the following locations. Memory All valid certificates and CRLs that have been touched by the chain-building engine since the last reboot are cached in memory. Certificate Store All certificates that are not treated as root CA certificates and that have been retrieved from an HTTP, LDAP or FILEURL reference via the AIA certificate extension are cached in the certificate store if the certificates are found to be part of a valid chain by the CryptAPI. Root CA certificates are not automatically cached and must be added explicitly by the interactive user to the corresponding certificate store. Local File System When a certificate or CRL is retrieved via LDAP or HTTP by a Windows 2000 client with MS04-11, Windows XP SP2 client, or Windows Server 2003 client, it is cached by CAPI in the Application Data folder. The per-user cache location is C:\Documents and Settings\{user name}\Application Data\Microsoft\CryptnetUrlCache and the per-machine cache location is %WINDIR%\System32\config\SystemProfile\Application Data\Microsoft\CryptnetUrlCache. Windows 2000 with MS04-11, Windows XP, and Windows Server 2003 handle caching for HTTP, LDAP, or FILEURL references exclusively with CAPI. Earlier versions of CryptoAPI used WinInet instead of CAPI for this purpose. Note On computers where the Windows Server 2003 version of certutil is available, cached CRLs can be listed by typing Certutil urlcache CRL at a command-line prompt. This command is also available on Windows XP computers that have the Windows Server 2003 Administration Pack installed. /SNIP The following link may help too. It talks about an offline CAwhich for all apparent purposes, from the perspective of your client, the CA would seem to be offline: http://technet2.microsoft.com/WindowsServer/en/library/45c28bf8-9952-4ca1-b124-7d86afb83f691033.mspx?mfr=true Thanks for the questionI like the learning! Have a great day! Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 9:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389
RE: [ActiveDir] Secure LDAP queries from the outside
I hate troubleshooting SSL but here it goes... First, have you installed the Cert Chain on the machine you are querying AD from? Second, is the DNS name of the DC you querying exactly what is in the DCs cert? I don't think you need anything open other than 636. The way the MSFT LDAP API works if you specify 636 it will attempt an SSLconnectioneven if not explicity specified, however, try adding the -ssl switch to adfind. The main thing you want to do is get a trace and see where it is failing at. The sequence will be something like Client- Server TCP LDAPS SYN Server-Client TCP LDAPS SYN, ACK Client- Server TCP LDAPS ACK Client- Server SSLV2LDAPS Client Hello Server-Client TCP LDAPS one or more packets in response Client- Server TCP LDAPS ACK Server-Client TCP LDAPS one or more packets Server-Client TLSLDAPS Server Hello, Certificate, Certificate Request, Server Hello Done Client- Server TCPLDAPS ACK Client- Server TLSLDAPS Certificate, Client Key Exchange, Change Cipher Spec, Encrypted Handshake Message Server-Client TLSLDAPS Change Cypher Spec, Encrypted Handshake Message ...then you will see TLS Application Data packets... Now if you don't have the the DNS hostname right or don't have the Cert chain on the local machine you will see (or least I always recall seeing) something like Client- Server TCP LDAPS SYN Server-Client TCP LDAPS SYN, ACK Client- Server TCP LDAPS ACK Client- Server SSLV2 LDAPS Client Hello Server-Client TCP LDAPS one or more packets in response Client- Server TCP LDAPS ACK Server-Client TCP LDAPS one or more packets Server-Client TLS LDAPS Server Hello, Certificate, Certificate Request, Server Hello Done Client- Server TCP LDAPS ACK Client- Server TCP LDAPS RST,ACK I could easily be wrong as I am not a SSL kind of guy but I am not positive if the CRL is required for this communication. I know I have seen this work without a current or in fact any CRL from the authority on the client side. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 7:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes
RE: [ActiveDir] Secure LDAP queries from the outside
Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same errorbut I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Secure LDAP queries from the outside
You cannot remove a CDP extension from a specific template - it is configured for all certs issued from the issuing CA. If he plans to have clients from outside his network access the DC's of LDAPS - he should reconfigure the CA to include a CDP which is available outside of his network. my .02 steve - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 9:14 AM Subject: RE: [ActiveDir] Secure LDAP queries from the outside Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error but I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.
Re: [ActiveDir] Secure LDAP queries from the outside
This might be already tried, but did you try running pkiview.msc from the machine? This checks the availability of the CRL from the current client against the CRL locations of http and/or AD. I had an issue awhile back when trying to read a http based CRL, that it could not connect due to an issue in the internal PAC script, which was not directing the client correctly. Jef - Original Message - From: steve patrick To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 11:53 AM Subject: Re: [ActiveDir] Secure LDAP queries from the outside You cannot remove a CDP extension from a specific template - it is configured for all certs issued from the issuing CA. If he plans to have clients from outside his network access the DC's of LDAPS - he should reconfigure the CA to include a CDP which is available outside of his network. my .02 steve - Original Message - From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 9:14 AM Subject: RE: [ActiveDir] Secure LDAP queries from the outside Areyou publishing a CRL? If so then it must use the path to theCRL that's specified in the certificate or it bombs out (latency to the hosting CRL serverwill kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (ifyour using a Enterprise CA) andreissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder. -Brandon From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 10:36 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert, Yes, the command is *exactly* the same. We are thinking that our CRL location is not available outside of the firewall. We generate our own certificates; we dont use a well known provider. Mike Thommes From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, RobertSent: Tuesday, August 22, 2006 9:16 AMTo: ActiveDir@mail.activedir.orgSubject: RE: [ActiveDir] Secure LDAP queries from the outside Hey Mike, When you say It works fine behind our firewall, are you meaning that the *exact same* command line works and you get the object returned? I tried using adfind to connect to my test DC using port 636 and got the exact same error but I dont have a cert installed on my DC so Id expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.Sent: Tuesday, August 22, 2006 6:19 AMTo: ActiveDir@mail.activedir.orgSubject: [ActiveDir] Secure LDAP queries from the outside Hi, We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue. Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using adfind: adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f sn=thommes extensionAttribute2 AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005 LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program. (extensionAttribute2 is used for email address) Portqry shows that the DC is listening on port 636. Using ldp, the bind operation seems to want to default to port 389 (which is not open). It works fine behind our firewall. Is there some other port that needs to be open (besides 389)? Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated! TIA, Mike Thommes 2006-08-22, 10:35:32The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.