Re: [ActiveDir] Secure LDAP queries from the outside

[jef]

This might be already tried,  but did you try running pkiview.msc from the machine?   This checks the availability of the CRL from the current client against the CRL locations of http and/or AD.   I had an issue awhile back when trying to read a http based CRL, that it could not connect due to an issue in the internal PAC script, which was not directing the client correctly.   Jef   ----- Original Message ----- From: steve patrick To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 11:53 AM Subject: Re: [ActiveDir] Secure LDAP queries from the outside You cannot remove a CDP extension from a specific template - it is configured for all certs issued from the issuing CA. If he plans to have clients from outside his network access the DC's of LDAPS - he should reconfigure the CA to include a CDP which is available outside of his network.   my .02   steve   ----- Original Message ----- From: Bernier, Brandon (.) To: ActiveDir@mail.activedir.org Sent: Tuesday, August 22, 2006 9:14 AM Subject: RE: [ActiveDir] Secure LDAP queries from the outside   Are you publishing a CRL? If so then it must use the path to the CRL that's specified in the certificate or it bombs out (latency to the hosting CRL server will kill it too..forgot the exact value). Why do you need CRL checking on your DC's? Doesn't that make you question who is on your DC's that would make you revoke a cert among other things? I would modify the template (if your using a Enterprise CA) and reissue the certs without a CRL and make sure the clients have the public key to your Root CA in their trusted root store. Something to ponder.   -Brandon  From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 10:36 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside Hi Robert,     Yes, the command is *exactly* the same.  We are thinking that our CRL location is not available outside of the firewall.  We generate our own certificates; we don’t use a “well known” provider.   Mike Thommes   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert Sent: Tuesday, August 22, 2006 9:16 AM To: ActiveDir@mail.activedir.org Subject: RE: [ActiveDir] Secure LDAP queries from the outside   Hey Mike,   When you say “It works fine behind our firewall”, are you meaning that the *exact same* command line works and you get the object returned?   I tried using adfind to connect to my test DC using port 636 and got the exact same error but I don’t have a cert installed on my DC so I’d expect mine not to work. Robert Williams From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M. Sent: Tuesday, August 22, 2006 6:19 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] Secure LDAP queries from the outside   Hi,    We are trying to set up secure LDAP queries from the outside to AD for pulling email addresses but are running into an issue.  Port 636 has been opened up to our DCs but we get a 0x51 error like the one shown below in this example of using “adfind”:   adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up *  -default -nodn -f sn=thommes extensionAttribute2   AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005   LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down Terminating program.   (extensionAttribute2 is used for email address)   Portqry shows that the DC is listening on port 636.  Using “ldp”, the bind operation seems to want to default to port 389 (which is not open).   It works fine behind our firewall.  Is there some other port that needs to be open (besides 389)?  Or maybe some security feature (we are running w2k3/sp1 on our DCs) that is getting in the way?  Any help is appreciated!   TIA, Mike Thommes     2006-08-22, 10:35:32 The information contained in this e-mail message and any attachments may be privileged and confidential. If the reader of this message is not the intended recipient or an agent responsible for delivering it to the intended recipient, you are hereby notified that any review, dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by replying to this e-mail and delete the message and any attachments from your computer.