none
LDAP/S implementation query RRS feed

  • Question

  • We have 4 domain controllers. All of them holding Domain Controller certificate (Server Authentication, Client Authentication , KDC). We not yet imported the certificate to NTDS/Personal store. But when we try LDP/Openssl query with domain controller name and 636 port, we are getting the response from the certificate which is having more life time. The DC administrators and management wants to understand the requirement of publish the certificate in NTDS/Store. Can someone please shred some light on this.
    Wednesday, November 21, 2018 1:32 PM

All replies

  • Hi,

    Thanks for posting.

    Here is an article for a reference.

    https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

    Hope above information could help.

    Best Regards,

    Kallen


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Thursday, November 22, 2018 7:03 AM
    Moderator
  • Hi Kallen,

    Thanks for your response. I already read the tech article. 

    We already performed a test with LDP.EXE and OpenSSL with port 636 and one of the domain controller. We got the response from the domain controller with the certificate details. The question here is , why its mandatory that import the certificate with private key to the NTDS/Personal.

    Please help on get the difference between the LDP /openssl query through port 636 and application/user authentication using LDAP/S

    Thursday, November 22, 2018 1:01 PM
  • Hi,

    Please check if the following information is helpful.

    https://www.cisco.com/c/en/us/support/docs/security/firesight-management-center/118761-technote-firesight-00.html

    https://www.watchguard.com/help/docs/ssl/3/en-us/content/en-us/manage_system/active_directory_auth_w-ldap-ssl.html

    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

    Hope above information could help.

    Best Regards,

    Kallen  


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, November 26, 2018 7:49 AM
    Moderator
  • Hi all, looks like this query didn't get a full answer.  I have the same problem.

    DC's that currently require multiple certificates for various purposes.  Is there an easy way to ensure that a domain controller presents a specific certificate, ideally a Kerberos Auth template based certificate, when an LDAPS connection is attempted.  As in the OP, if the server possesses another certificate with 'server authentication' EKU that has a longer expiry date, that other certificate seems to get presented instead.

    I'm aware that its possible to import a specific cert into the NTDS\Personal store to force use of a particular cert, but this prevents use of auto-enrolment to distribute Kerberos Auth certs for this purpose.  This requirement is for a very large AD forest containing a few hundred DC's.

    Thanks in advance.

    Wednesday, August 21, 2019 2:40 PM