Connect AD Server 636 to access LDAP SSL

[napoleao]

Hello
after alot research i was able to connect to AD windows 2008
636 port but i saw that only the machines inside the domain can acess
all machines outside the domain the port is close


Its anoying we can acess AD Ldap 636 SSl trought LDP wen we are at the server were AD is working our any machine inside the domain
But wen a machine is outside de domain that port is block or is not available

I was able to generate the certificate and install it on the client machine using the keytool and storing it
I m Working with JNDI and the same code to acess the LDAP trought 636 ssl works fine inside the domain but outside the domain its anoying port not found

Can anyone help me on How to Configure 636 outside the domain also this whould realy help me


Thank You

Napoleão

Hello napoleao,

By default 2008 has the firewall enabled. So check following docs about needed
ports to open:
http://support.microsoft.com/kb/179442/

http://support.microsoft.com/kb/555381

http://technet.microsoft.com/en-us/l.../bb727063.aspx

http://technet.microsoft.com/en-us/l...EXCHG.65).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello
> after alot research i was able to connect to AD windows 2008
> 636 port but i saw that only the machines inside the domain can acess
> all machines outside the domain the port is close
> Its anoying we can acess AD Ldap 636 SSl trought LDP wen we are at
> the
> server were AD is working our any machine inside the domain
> But wen a machine is outside de domain that port is block or is not
> available
> I was able to generate the certificate and install it on the client
> machine using the keytool and storing it
> I m Working with JNDI and the same code to acess the LDAP trought 636
> ssl works fine inside the domain but outside the domain its anoying
> port
> not found
> Can anyone help me on How to Configure 636 outside the domain also
> this whould realy help me
>
> Thank You
>
> Napoleão
>
> http://forums.techarena.in
>

[napoleao]

I tryed to disable the firewall and couldnt connect only computers inside the domain were able to enter that port


I created a new rule to all connection 636 port same thing happen

i deleted all rules and created a new one alowing all ports and all ips to the firewall on all profiles public private domain and still wasent able to connect

grr


I m able to connect to port 389 with no problems the only diference form this port to 636 is that is encrypt ssl why i m not able to connect to this port is anoying has hell i try to turn off the firewall create rules to alow all comunications and still no sucess

the information on Microsoft website not ...specific and so vast ..


is there a Policy on Windows 2008 that disables comunications from computers outside the domain to the port 636 ?

i m able to see 389 but not 636
but i m able to connect to this port on any machine in the domain

outside the domain i get

ld = ldap_sslinit("kraken.org", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to kraken.org.


inside a PC on the domain

ld = ldap_sslinit("kraken.org", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to kraken.org.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=Kraken,DC=org;
currentTime: 8/14/2009 11:25:42 AM GMT Daylight Time;
defaultNamingContext: DC=Kraken,DC=org;
dnsHostName: dc.Kraken.org;
domainControllerFunctionality: 3 = ( WIN2008 );
domainFunctionality: 0 = ( WIN2000 );
dsServiceName: CN=NTDS Settings,CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kraken,DC=org;
forestFunctionality: 0 = ( WIN2000 );
highestCommittedUSN: 20519;
isGlobalCatalogReady: TRUE;
isSynchronized: TRUE;
ldapServiceName: Kraken.org:dc$@KRAKEN.ORG;
namingContexts (5): DC=Kraken,DC=org; CN=Configuration,DC=Kraken,DC=org; CN=Schema,CN=Configuration,DC=Kraken,DC=org; DC=DomainDnsZones,DC=Kraken,DC=org; DC=ForestDnsZones,DC=Kraken,DC=org;
rootDomainNamingContext: DC=Kraken,DC=org;
schemaNamingContext: CN=Schema,CN=Configuration,DC=Kraken,DC=org;
serverName: CN=DC,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=Kraken,DC=org;
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=Kraken,DC=org;
supportedCapabilities (4): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 );
supportedControl (26): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT );
supportedLDAPPolicies (12): MaxPoolThreads; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxQueryDuration; MaxTempTableSize; MaxResultSetSize; MaxNotificationPerConn; MaxValRange;
supportedLDAPVersion (2): 3; 2;
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;


TCPview


System:4 TCPV6 [0:0:0:0:0:0:0:0]:80 [0:0:0:0:0:0:0:0]:0 LISTENING
svchost.exe:888 TCPV6 [0:0:0:0:0:0:0:1]:135 [0:0:0:0:0:0:0:1]:51521 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:53484 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:51522 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:49283 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:49209 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:49187 ESTABLISHED
ntfrs.exe:312 TCPV6 [0:0:0:0:0:0:0:1]:49187 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
dfssvc.exe:2084 TCPV6 [0:0:0:0:0:0:0:1]:49209 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
dfsrs.exe:1928 TCPV6 [0:0:0:0:0:0:0:1]:49283 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
[System Process]:0 TCPV6 [0:0:0:0:0:0:0:1]:51516 [0:0:0:0:0:0:0:1]:135 TIME_WAIT
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:51521 [0:0:0:0:0:0:0:1]:135 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:51522 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:53484 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
svchost.exe:1124 UDPV6 dc.kraken.org:123 *:*
svchost.exe:888 TCPV6 dc.kraken.org:135 dc.kraken.org:0 LISTENING
svchost.exe:1244 TCPV6 dc.kraken.org:3389 dc.kraken.org:0 LISTENING
lsass.exe:604 UDP dc.kraken.org:389 *:*
System:4 TCPV6 dc.kraken.org:445 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:464 dc.kraken.org:0 LISTENING
wininit.exe:516 TCPV6 dc.kraken.org:49152 dc.kraken.org:0 LISTENING
svchost.exe:968 TCPV6 dc.kraken.org:49153 dc.kraken.org:0 LISTENING
svchost.exe:1020 TCPV6 dc.kraken.org:49154 dc.kraken.org:0 LISTENING
lsass.exe:604 TCP dc.kraken.org:49156 krakenclient.kraken.org:1043 ESTABLISHED
lsass.exe:604 TCPV6 dc.kraken.org:49156 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:49157 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:49158 dc.kraken.org:0 LISTENING
ntfrs.exe:312 TCPV6 dc.kraken.org:49183 dc.kraken.org:0 LISTENING
ntfrs.exe:312 TCP dc.kraken.org:49185 dc.kraken.org:ldap ESTABLISHED
services.exe:592 TCPV6 dc.kraken.org:49202 dc.kraken.org:0 LISTENING
certsrv.exe:1844 TCPV6 dc.kraken.org:49256 dc.kraken.org:0 LISTENING
dfsrs.exe:1928 TCP dc.kraken.org:49281 dc.kraken.org:ldap ESTABLISHED
dfsrs.exe:1928 TCP dc.kraken.org:49285 dc.kraken.org:ldap ESTABLISHED
svchost.exe:1020 UDPV6 dc.kraken.org:500 *:*
svchost.exe:1448 TCPV6 dc.kraken.org:56613 dc.kraken.org:0 LISTENING
svchost.exe:888 TCPV6 dc.kraken.org:593 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:88 dc.kraken.org:0 LISTENING
lsass.exe:604 UDP dc.kraken.org:kerberos *:*
lsass.exe:604 UDP dc.kraken.org:kpasswd *:*
lsass.exe:604 TCP dc.kraken.org:ldap dc.kraken.org:49281 ESTABLISHED
lsass.exe:604 TCP dc.kraken.org:ldap dc.kraken.org:49185 ESTABLISHED
lsass.exe:604 TCP dc.kraken.org:ldap dc.kraken.org:49285 ESTABLISHED
System:4 UDP dc.kraken.org:netbios-dgm *:*
System:4 UDP dc.kraken.org:netbios-ns *:*
System:4 TCP dc.kraken.org:netbios-ssn dc:0 LISTENING
wininit.exe:516 TCP dc:49152 dc:0 LISTENING
svchost.exe:968 TCP dc:49153 dc:0 LISTENING
svchost.exe:1020 TCP dc:49154 dc:0 LISTENING
lsass.exe:604 TCP dc:49156 dc:0 LISTENING
lsass.exe:604 TCP dc:49157 dc:0 LISTENING
lsass.exe:604 TCP dc:49158 dc:0 LISTENING
ismserv.exe:2012 TCP dc:49176 localhost:ldap ESTABLISHED
ismserv.exe:2012 TCP dc:49180 localhost:ldap ESTABLISHED
ntfrs.exe:312 TCP dc:49183 dc:0 LISTENING
services.exe:592 TCP dc:49202 dc:0 LISTENING
certsrv.exe:1844 TCP dc:49220 localhost:ldap ESTABLISHED
certsrv.exe:1844 TCP dc:49256 dc:0 LISTENING
certsrv.exe:1844 UDP dc:49437 *:*
ismserv.exe:2012 UDP dc:50296 *:*
svchost.exe:1244 UDP dc:51943 *:*
svchost.exe:1008 UDP dc:51945 *:*
dfssvc.exe:2084 UDP dc:51946 *:*
taskeng.exe:1556 UDP dc:54090 *:*
dfsrs.exe:1928 UDP dc:54091 *:*
svchost.exe:1448 TCP dc:56613 dc:0 LISTENING
lsass.exe:604 UDP dc:57459 *:*
ntfrs.exe:312 UDP dc:64450 *:*
svchost.exe:888 TCP dc:epmap dc:0 LISTENING
System:4 TCP dc:http dc:0 LISTENING
svchost.exe:888 TCP dc:http-rpc-epmap dc:0 LISTENING
svchost.exe:1020 UDP dc:ipsec-msft *:*
svchost.exe:1020 UDP dc:isakmp *:*
lsass.exe:604 TCP dc:kerberos dc:0 LISTENING
lsass.exe:604 TCP dc:kpasswd dc:0 LISTENING
lsass.exe:604 TCP dc:ldap dc:0 LISTENING
lsass.exe:604 TCP dc:ldap localhost:49220 ESTABLISHED
lsass.exe:604 TCP dc:ldap localhost:49180 ESTABLISHED
lsass.exe:604 TCP dc:ldap localhost:49176 ESTABLISHED
lsass.exe:604 TCP dc:ldaps dc:0 LISTENING
svchost.exe:1244 UDP dc:llmnr *:*
System:4 TCP dc:microsoft-ds dc:0 LISTENING
svchost.exe:1244 TCP dc:ms-wbt-server dc:0 LISTENING
lsass.exe:604 TCP dc:msft-gc dc:0 LISTENING
lsass.exe:604 TCP dc:msft-gc-ssl dc:0 LISTENING
svchost.exe:1124 UDP dc:ntp *:*

with Netstat


Active Connections

Proto Local Address Foreign Address State
TCP 0.0.0.0:80 dc:0 LISTENING
TCP 0.0.0.0:88 dc:0 LISTENING
TCP 0.0.0.0:135 dc:0 LISTENING
TCP 0.0.0.0:389 dc:0 LISTENING
TCP 0.0.0.0:445 dc:0 LISTENING
TCP 0.0.0.0:464 dc:0 LISTENING
TCP 0.0.0.0:593 dc:0 LISTENING
TCP 0.0.0.0:636 dc:0 LISTENING
TCP 0.0.0.0:3268 dc:0 LISTENING
TCP 0.0.0.0:3269 dc:0 LISTENING
TCP 0.0.0.0:3389 dc:0 LISTENING
TCP 0.0.0.0:49152 dc:0 LISTENING
TCP 0.0.0.0:49153 dc:0 LISTENING
TCP 0.0.0.0:49154 dc:0 LISTENING
TCP 0.0.0.0:49156 dc:0 LISTENING
TCP 0.0.0.0:49157 dc:0 LISTENING
TCP 0.0.0.0:49158 dc:0 LISTENING
TCP 0.0.0.0:49183 dc:0 LISTENING
TCP 0.0.0.0:49202 dc:0 LISTENING
TCP 0.0.0.0:49256 dc:0 LISTENING
TCP 0.0.0.0:56613 dc:0 LISTENING
TCP 127.0.0.1:389 dc:49176 ESTABLISHED
TCP 127.0.0.1:389 dc:49180 ESTABLISHED
TCP 127.0.0.1:389 dc:49220 ESTABLISHED
TCP 127.0.0.1:49176 dc:ldap ESTABLISHED
TCP 127.0.0.1:49180 dc:ldap ESTABLISHED
TCP 127.0.0.1:49220 dc:ldap ESTABLISHED
TCP 192.168.87.128:139 dc:0 LISTENING
TCP 192.168.87.128:389 dc:49185 ESTABLISHED
TCP 192.168.87.128:389 dc:49281 ESTABLISHED
TCP 192.168.87.128:389 dc:49285 ESTABLISHED
TCP 192.168.87.128:49156 192.168.87.129:1043 ESTABLISHED
TCP 192.168.87.128:49185 dc:ldap ESTABLISHED
TCP 192.168.87.128:49281 dc:ldap ESTABLISHED
TCP 192.168.87.128:49285 dc:ldap ESTABLISHED

Thank you

[napoleao]

Ok the problem is not accessing the port
Because i was able to install the cert to the keystore of java and was able to connect on a machine outisde the domain

The problem is with windows certificate ... he is not instaing it correctly
because the machine is not inside the domain and LDP.exe wen connects ssl connection goes to windows certificates and the server certificate is Hang on machines outside the domain.

Something about the the server is not a autority alowed to be trusted and has to be install a certificate on the autorities that are trusted ....I m a bit lost in here i know only a bit about this ...



I was able to install a certificate on the client machine on the directory of trusted autorities.
But LDP.exe still cant connect to the 636 of the AD from an outside Machine


But i m able to go trough Java using the cert on the keystore and connect from an outside machine of the domain





And sorry for the mess On the other post :-S

Thank you

"napoleao" <napoleao.3wwojb@DoNotSpam.com> wrote in message
news:napoleao.3wwojb@DoNotSpam.com...
>
> Ok the problem is not accessing the port
> Because i was able to install the cert to the keystore of java and was
> able to connect on a machine outisde the domain
>
> The problem is with windows certificate ... he is not instaing it
> correctly
> because the machine is not inside the domain and LDP.exe wen connects
> ssl connection goes to windows certificates and the server certificate
> is Hang on machines outside the domain.
>
> Something about the the server is not a autority alowed to be trusted
> and has to be install a certificate on the autorities that are trusted
> ...I m a bit lost in here i know only a bit about this ...
>
>
>
> I was able to install a certificate on the client machine on the
> directory of trusted autorities.
> But LDP.exe still cant connect to the 636 of the AD from an outside
> Machine
>
>
> But i m able to go trough Java using the cert on the keystore and
> connect from an outside machine of the domain
>
>
>
>
>
> And sorry for the mess On the other post :-S
>
> Thank you
>

Hello napoleao,

Is your firewall a NAT? If so, it won't work.

If not, you would probably have to open up other ports for AD
communications. There are about 29 ports plus the service response ports
(UDP 1024 and above).

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.

Hello napoleao,

Outside domain machine means NOT a domain member? Then you have to enable
Anonymus LDAP connections, by default disabled. Check this way:
http://technet.microsoft.com/de-de/l...88(WS.10).aspx

Take care of the 7th character in the Value.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok the problem is not accessing the port
> Because i was able to install the cert to the keystore of java and was
> able to connect on a machine outisde the domain
> The problem is with windows certificate ... he is not instaing it
> correctly
> because the machine is not inside the domain and LDP.exe wen connects
> ssl connection goes to windows certificates and the server certificate
> is Hang on machines outside the domain.
> Something about the the server is not a autority alowed to be trusted
> and has to be install a certificate on the autorities that are trusted
> ...I m a bit lost in here i know only a bit about this ...
>
> I was able to install a certificate on the client machine on the
> directory of trusted autorities.
> But LDP.exe still cant connect to the 636 of the AD from an outside
> Machine
> But i m able to go trough Java using the cert on the keystore and
> connect from an outside machine of the domain
>
> And sorry for the mess On the other post :-S
>
> Thank you
>
> http://forums.techarena.in
>

"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662d5438cbeb5622010206@msnews.microsoft.com...
> Hello napoleao,
>
> Outside domain machine means NOT a domain member? Then you have to enable
> Anonymus LDAP connections, by default disabled. Check this way:
> http://technet.microsoft.com/de-de/l...88(WS.10).aspx
>
> Take care of the 7th character in the Value.
>


Ahh, good point, and good catch!! I forgot about that. :-)

Cheers!!

Ace