question

RobertPerez-5245 avatar image
0 Votes"
RobertPerez-5245 asked DaisyZhou-MSFT commented

How can I get LDAP to work on Windows Server 2019 with internal CA certificate or with comodo certificate

I have spent many months on this issue, but recently on a new Windows Server 2019, I have the same issue:

I would think that the internal Windows 2019 certificates would be fine for LDAPS, not sure if it is a matter of trust, or a configuration issue. I have looked at many documents on the internet, but none seem to help me get beyon this LDAPS issue. My goal is to use a Windows 2019 ldaps certificate so other applications can authenticate and retrieve ldap data.

I have installed Windows Server 2019 and I installed the Certification Authority and I see port 389 and 636 in a listen mode, but when I attempt to use port 636 I have errors. Port 389 is fine. When I use the openssl connect command on port 443 I have no errors.

What I have tried.

I have spent hours searching for solution that work in www.google.com. This has not worked.

I have used a JXplorer ldap browser i can login to port 389 and see active directory objects fine, but when I use port 636 it fails immediately with the error "Error opening connection: LDAP connection has been closed". The details on the error are: javax.naming.NamingException: LDAP connect has been closed".

When I do this command, I get a response as shown below that :

openssl s_client -connect FicticiousServerName.com:636 -showcerts

CONNECTED(00000003) depth=0 CN = LAB.FicticiousServerName.com verify error:num=20:unable to get local issuer certificate verify return:1 depth=0 CN = LAB.FicticiousServerName.com verify error:num=21:unable to verify the first certificate verify return:1
Certificate chain 0 s:/CN=LAB.FicticiousServerName.com i:/DC=com/DC=FicticiousServerName/CN=FicticiousServerName.com

Use Windows 2019 ldp.exe to test ldap and port 636, IT LOOKS FINE.... :

How can I use the existing ldap certificate in Windows 2019 and not get errors when
doing :

openssl s_client -connect FicticiousServerName.com:636 -showcerts

windows-server-2019
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RobertPerez-5245,

How are things going on your end? Please keep me posted on this issue.
If you have any further questions or concerns about this question, please let us know.
I appreciate your time and efforts.

Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·

Hello @RobertPerez-5245,
I just want to confirm the current situations.
Please feel free to let us know if you need further assistance.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @RobertPerez-5245,

Thank you for your reply.

Q: So are you saying this is the procedure to get ldaps working correctly so I can avoid the errors I have listed ?.
A: For the Built-in Windows ldp.exe tool, it will work as my first reply if you configured as I mentioned above (enroll certificate for DC using the specific certificate template).

Q: Why do I want to chose Kerberos ?
A: Because we need to enroll certificate for domain controller.

For more information about DC certificate, we can refer to link below.
LDAPS / Domain Controller Certificates
https://xdot509.blog/2020/12/21/ldaps-domain-controller-certificates/


Should you have any question or concern, please feel free to let us know.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered RobertPerez-5245 commented

Hello @RobertPerez-5245,

Thank you for your reply.

As I understand, now you can only connect using Windows built-in LDP.exe tool, but can not bind and search information.

How many DCs are there in your domain?

You can check one DC that you want to connect, if you have requested a computer certificate using certificate template named ”Domain Controller or Domain Controller Authentication or Kerberos Authentication“ on this DC.

Logon this DC using domain Administrator account.
Open certlm.msc and click Enter.
Open Certificates- Local Computer\Personal\Certificates container and check as below.

For example:
95434-cer1.png

If there is such certificate, you should enroll such a certificate.
1.Duplicate a Kerberos Authentication certificate template.
95426-d1.png

2.Give "Authenticated Users" read permission and give "Domain Controllers" read and enroll permissions.
95398-d2.png

3.Issue this certificate template we just duplicated.
95427-d3.png

4.Logon this DC using domain Administrator account.

5.Open certlm.msc and click Enter.

6.Right click Certificates- Local Computer\Personal\Certificates container \All Tasks\Request new certificate\Next\Next\select the "Kerberos Authentication" certificate template you just duplicated\click Enroll button.
95428-d4.png

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



cer1.png (49.1 KiB)
d1.png (8.3 KiB)
d2.png (44.1 KiB)
d3.png (26.7 KiB)
d4.png (58.4 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Daisy,

Yes, I have 1 DC only in my forest.

So are you saying this is the procedure to get ldaps working correctly so I can avoid the errors I have listed ?. Why do I want to chose Kerberos ? I want to get the certificate functional for LDAPS.

Thanks,
Bob Perez

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered RobertPerez-5245 commented

Hello @RobertPerez-5245,

Thank you for your update.

I can see the result you provided is OK.
95020-ok.png

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ok.png (126.5 KiB)
· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Daisy, if the Ldp.exe works ok to connect, but the bind fails AND openssl fails then there is a problem.
AND using JXplorer ldap client browser also fails to connect, then there is a problem, despite what ldp.exe says.

openssl s_client -connect FicticiousServerName.com:636 -showcerts

What can I do from this point to figure out why these above utilities fail ?

Thanks,
Bob Perez

0 Votes 0 ·

Daisy, when I use the ldap browser client Jxplorer, I get the error on attempting to connect to port 636 ( but not 389 ), of
"Error opening connection" , and "Ldap connection has been closed", " javax.naming.NamingException: LDAP connection has been closed".

there definitely is a problem with the certificate from windows server 2019 and ldap.

0 Votes 0 ·
RobertPerez-5245 avatar image
0 Votes"
RobertPerez-5245 answered RobertPerez-5245 commented

Daisy,

When I do your step # 6, I see:


Expanding base 'DC=gwlinux,DC=com'...
ldap_get_next_page_s failed: 1
Server error: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
Error 0x4DC The operation being requested was not performed because the user has not been authenticated.
Result <1>: 000004DC: LdapErr: DSID-0C090A5C, comment: In order to perform this operation a successful bind must be completed on the connection., data 0, v4563
Getting 0 entries:


· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RobertPerez-5245,

Thank you for your update.

So with bind failed, you are viewing and searching some information, is it right?

If so, we can troubleshoot bind first, then when bind is successful, we can try to view and search some information again.

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.

0 Votes 0 ·

Yes.
ld = ldap_sslinit("gwlinux.com", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to gwlinux.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=gwlinux,DC=com;
currentTime: 5/7/2021 7:21:08 AM Mountain Daylight Time;
defaultNamingContext: DC=gwlinux,DC=com;
dnsHostName: LAB.gwlinux.com;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gwlinux,DC=com;
forestFunctionality: 7 = ( WIN2016 );
highestCommittedUSN: 16968;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: gwlinux.com:lab$@GWLINUX.COM;

0 Votes 0 ·
RobertPerez-5245 avatar image
0 Votes"
RobertPerez-5245 answered RobertPerez-5245 commented

Daisy,

When I do step # 5 above, the bind, I see :


53 = ldap_set_option(ld, LDAP_OPT_ENCRYPT, 1)
res = ldap_bind_s(ld, NULL, &NtAuthIdentity, NEGOTIATE (1158)); // v.3
{NtAuthIdentity: User='NULL'; Pwd=<unavailable>; domain = 'NULL'}
Error <81>: ldap_bind_s() failed: Server Down.
Server error: <empty>



Even though when I go to a CMD dos window, and do "whoami"
I see : gwlinux\administrator

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Hello @RobertPerez-5245,

Thank you for your update.

Would you please tell us which server you connected in step 2?
94623-co1.png

Check if this server is starting and running successfully?
Check if this server is DC or not?

Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.


0 Votes 0 ·
co1.png (62.6 KiB)

I connect to "gwlinux.com" , the server is running and it is a domain controller.

ld = ldap_sslinit("gwlinux.com", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to gwlinux.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=gwlinux,DC=com;
currentTime: 5/7/2021 7:21:08 AM Mountain Daylight Time;
defaultNamingContext: DC=gwlinux,DC=com;
dnsHostName: LAB.gwlinux.com;
domainControllerFunctionality: 7 = ( WIN2016 );
domainFunctionality: 7 = ( WIN2016 );
dsServiceName: CN=NTDS Settings,CN=LAB,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=gwlinux,DC=com;
forestFunctionality: 7 = ( WIN2016 );
highestCommittedUSN: 16968;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;

0 Votes 0 ·
DaisyZhou-MSFT avatar image
0 Votes"
DaisyZhou-MSFT answered

Hello @RobertPerez-5245,

Thank you for posting here.

In my test lab, I have installed internal CA server.

On one machine, I can connect DC with 636 port and SSL.

For example:

1.On one machine, open ldp.exe and click Enter.

2.Connect PDC.
94109-ld1.png

3.Connect successfully.
94110-ld2.png

4.Bind with credential.
94139-ld3.png

5.Bind successfully.
94214-ld4.png

6.View information on PDC.
94140-ld5.png

  1. can see data on PDC successfully.

94221-ld6.png


Tip: I am sorry, we do not know much about openssl command.


Should you have any question or concern, please feel free to let us know.


Best Regards,
Daisy Zhou


============================================
If the Answer is helpful, please click "Accept Answer" and upvote it.



ld1.png (11.5 KiB)
ld2.png (69.3 KiB)
ld3.png (14.3 KiB)
ld4.png (4.4 KiB)
ld5.png (11.2 KiB)
ld6.png (39.1 KiB)
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.