RE: LDAPS Setup question
As it says: the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. That's the internal FQDN. If you want to use it externally, you are going to need something that does SSL termination and URL rewriting. Such as ISA or TMG. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Oliver Marshall [mailto:oliver.marsh...@g2support.com] Sent: Thursday, November 18, 2010 10:32 AM To: NT System Admin Issues Subject: LDAPS Setup question Hi Chaps, I'm trying to get LDAP over SSL set up on a Windows 2008 AD server. Before I order the SSL cert, I just want to check. The docs at the MS site say; When you request the certificate, specify the fully qualified domain name (FQDN) of the computer on which your AD LDS instance is running as the identifying name for the certificate. In other words, the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. Now, we want to use LDAPs both internally and externally. Am I right in thinking we can order a cert with the FQDN of ldap.mydomain.com and as long as that domain resolves to the LDAP/AD server both externally and internally it will be accepted? Or should we get a multiple host SSL cert, as we do with Exchange 2xxx, and register the netbios, internal FQDN (server.mydomain.local) and the external FQDN (ldap.mydomain.com) ? Olly [cid:image002.png@01CB870C.F5C13B70] Network Support Online Backups Server Management [http://www.g2support.com/googleapps.jpg] Tel: 0845 307 3443 Email: oliver.marsh...@g2support.commailto:oliver.marsh...@g2support.com Web: http://www.g2support.comhttp://www.g2support.com/ Twitter: g2supporthttp://twitter.com/home?stat...@g2support Newsletter: http://www.g2support.com/newsletter Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF Have you said something nice about us to a friend or colleague ? Let us say thanks. Find out more at www.g2support.com/referralhttp://www.g2support.com/referral G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE BN3 7LE. Our registered company number is OC316341. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpginline: image002.png
RE: LDAPS Setup question
You sure about this? It seems to me that you just need a generic server authentication OID. IN that case, the CN property in the cert just needs to match whatever FQDN is used to connect to the AD LDS instance. If that happens to be the same internally and externally, then there is no problem. Same as other types of server authN certs (e.g. web servers) Cheers Ken From: Michael B. Smith [mailto:mich...@smithcons.com] Sent: Thursday, 18 November 2010 11:40 PM To: NT System Admin Issues Subject: RE: LDAPS Setup question As it says: the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. That's the internal FQDN. If you want to use it externally, you are going to need something that does SSL termination and URL rewriting. Such as ISA or TMG. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com From: Oliver Marshall [mailto:oliver.marsh...@g2support.com] Sent: Thursday, November 18, 2010 10:32 AM To: NT System Admin Issues Subject: LDAPS Setup question Hi Chaps, I'm trying to get LDAP over SSL set up on a Windows 2008 AD server. Before I order the SSL cert, I just want to check. The docs at the MS site say; When you request the certificate, specify the fully qualified domain name (FQDN) of the computer on which your AD LDS instance is running as the identifying name for the certificate. In other words, the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. Now, we want to use LDAPs both internally and externally. Am I right in thinking we can order a cert with the FQDN of ldap.mydomain.com and as long as that domain resolves to the LDAP/AD server both externally and internally it will be accepted? Or should we get a multiple host SSL cert, as we do with Exchange 2xxx, and register the netbios, internal FQDN (server.mydomain.local) and the external FQDN (ldap.mydomain.com) ? Olly [cid:image002.png@01CB8780.4AF38CB0] Network Support Online Backups Server Management [http://www.g2support.com/googleapps.jpg] Tel: 0845 307 3443 Email: oliver.marsh...@g2support.commailto:oliver.marsh...@g2support.com Web: http://www.g2support.comhttp://www.g2support.com/ Twitter: g2supporthttp://twitter.com/home?stat...@g2support Newsletter: http://www.g2support.com/newsletter Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF Have you said something nice about us to a friend or colleague ? Let us say thanks. Find out more at www.g2support.com/referralhttp://www.g2support.com/referral G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE BN3 7LE. Our registered company number is OC316341. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.commailto:listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmininline: image001.jpginline: image002.png
Re: LDAPS Setup question
What external source are you trying to connect with? We run LDAPs externally for SAAS applications and we just send the vendor the public keys so they can make the connection. On Thu, Nov 18, 2010 at 8:10 AM, Oliver Marshall oliver.marsh...@g2support.com wrote: Thanks Michael, Does that mean that, without something like TMG, we can't actually get LDAPs working so that external boxes can authenticate against LDAP? I haven't seen that anywhere. Damn! -- G2 Support Network Support : Online Backups : Server Management Web: www.g2support.com Twitter: g2support http://twitter.com/home?stat...@g2support Newsletter: www.g2support.com/newsletter *From:* Michael B. Smith [mailto:mich...@smithcons.com] *Sent:* 18 November 2010 15:40 *To:* NT System Admin Issues *Subject:* RE: LDAPS Setup question As it says: the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. That’s the internal FQDN. If you want to use it externally, you are going to need something that does SSL termination and URL rewriting. Such as ISA or TMG. Regards, Michael B. Smith Consultant and Exchange MVP http://TheEssentialExchange.com http://theessentialexchange.com/ *From:* Oliver Marshall [mailto:oliver.marsh...@g2support.com] *Sent:* Thursday, November 18, 2010 10:32 AM *To:* NT System Admin Issues *Subject:* LDAPS Setup question Hi Chaps, I'm trying to get LDAP over SSL set up on a Windows 2008 AD server. Before I order the SSL cert, I just want to check. The docs at the MS site say; When you request the certificate, specify the fully qualified domain name (FQDN) of the computer on which your AD LDS instance is running as the identifying name for the certificate. In other words, the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running. Now, we want to use LDAPs both internally and externally. Am I right in thinking we can order a cert with the FQDN of ldap.mydomain.com and as long as that domain resolves to the LDAP/AD server both externally and internally it will be accepted? Or should we get a multiple host SSL cert, as we do with Exchange 2xxx, and register the netbios, internal FQDN (server.mydomain.local) and the external FQDN (ldap.mydomain.com) ? Olly Network Support Online Backups Server Management Tel: 0845 307 3443 Email: oliver.marsh...@g2support.com Web: http://www.g2support.com Twitter: g2support http://twitter.com/home?stat...@g2support Newsletter: http://www.g2support.com/newsletter Mail: 2 Roundhill Road, Brighton, Sussex, BN2 3RF Have you said something nice about us to a friend or colleague ? Let us say thanks. Find out more at www.g2support.com/referral G2 Support LLP is registered at Mill House, 103 Holmes Avenue, HOVE BN3 7LE. Our registered company number is OC316341. ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/ ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadminimage001.jpgimage002.png