It actually depends on the policy defined for the SSL stack. In Windows,
this is typically configured globally for all SSL, although I'm not sure
where. It definiitely used to be the case that Windows that CRLs were never
checked, but I have seen some other SSL stuff with HTTP actually checking
the CRL on 2K3 servers.
It is also possible in SSPI with Schannel to ignore specific conditions, so
this could be something that is ignored in the default LDAP SSL routine in
Windows, but I doubt it. The callback function for server certificate
verification will give you the error code if there is a problem and the
client can then deal with it as it sees fit.
CRLs can definitely be trouble though. They are by far the most vexing
thing to troubleshoot in SSL, and PKI in general.
Joe
----- Original Message -----
From: "Thommes, Michael M." <[EMAIL PROTECTED]>
To: <ActiveDir@mail.activedir.org>
Sent: Wednesday, August 23, 2006 8:37 PM
Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem
solved
Hi joe,
The CRL location is *not* available from the outside. And since neither
adfind, ldp or Outlook Express seemed to care, I am guessing that not many
(any?) tools require it. Kinda makes ya wonder why you would have it if
it's not used. Sorta like not using the book of bad credit card numbers
when someone handed you a credit card! (maybe some of you are old enough to
remember this safeguard before there were computers everywhere! LOL!).
Mike Thommes
________________________________
From: [EMAIL PROTECTED] on behalf of joe
Sent: Wed 8/23/2006 7:15 PM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem
solved
Cool, is the CRL available from the outside at all? I am really curious if
that is truly needed from the client when using LDAPS, it doesn't seem to be
needed but my testing has been far from perfect in that regard.
joe
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Wednesday, August 23, 2006 8:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside --> problem
solved
Thanks to all who responded! The problem was solved by installing our local
root CA cert on the "outside" computer since we are "rolling our own" and
not using one of the well known CAs (Trusted Root Certification
Authorities).
Mike Thommes
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, August 22, 2006 9:36 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside
Hi Robert,
Yes, the command is *exactly* the same. We are thinking that our CRL
location is not available outside of the firewall. We generate our own
certificates; we don't use a "well known" provider.
Mike Thommes
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Williams, Robert
Sent: Tuesday, August 22, 2006 9:16 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Secure LDAP queries from the outside
Hey Mike,
When you say "It works fine behind our firewall", are you meaning that the
*exact same* command line works and you get the object returned?
I tried using adfind to connect to my test DC using port 636 and got the
exact same error...but I don't have a cert installed on my DC so I'd expect
mine not to work.
Robert Williams
________________________________
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On Behalf Of Thommes, Michael M.
Sent: Tuesday, August 22, 2006 6:19 AM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Secure LDAP queries from the outside
Hi,
We are trying to set up secure LDAP queries from the outside to AD for
pulling email addresses but are running into an issue. Port 636 has been
opened up to our DCs but we get a 0x51 error like the one shown below in
this example of using "adfind":
adfind -h dc1.abc.com:636 -u [EMAIL PROTECTED] -up * -default -nodn -f
sn=thommes extensionAttribute2
AdFind V01.26.00cpp Joe Richards ([EMAIL PROTECTED]) February 2005
LDAP_BIND: [rhino221.anl.gov] Error 0x51 (81) - Server Down
Terminating program.
(extensionAttribute2 is used for email address)
Portqry shows that the DC is listening on port 636. Using "ldp", the bind
operation seems to want to default to port 389 (which is not open).
It works fine behind our firewall. Is there some other port that needs to
be open (besides 389)? Or maybe some security feature (we are running
w2k3/sp1 on our DCs) that is getting in the way? Any help is appreciated!
TIA,
Mike Thommes
2006-08-22, 10:35:32
The information contained in this e-mail message and any attachments may be
privileged and confidential. If the reader of this message is not the
intended recipient or an agent responsible for delivering it to the intended
recipient, you are hereby notified that any review, dissemination,
distribution or copying of this communication is strictly prohibited. If you
have received this communication in error, please notify the sender
immediately by replying to this e-mail and delete the message and any
attachments from your computer.
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx