SSL for LDAP

We need to install SSL on our domain controllers so a external server can
make SSL LDAP connnections to them. Are there any technet articles on how
to do this? This is Windows 2003 SP1. Also I saw SelfSSL.exe that would
create a certificate for me, would this be good enough to encryted the data
to the external source.

I wouldn't recommend SelSSL as a source of certificates, If You want to
use third party certificates be sure to get it from trusted source:
http://support.microsoft.com/kb/321051

Simplest option is to establish PKI infrastructure with Enterprise CA in
this domain and let DCs to auto enroll certificates.

Yes, PKI is the best option. However, don't just install the certificate
services. Although this will work, you won't have the best setup. There's
quite a lot to a Windows PKI infrasructure and deployment. The
documentation on MSFTs site is great. Summarised, you need an offline root
CA and a subordinate enterprise CA (small setup).

http://technet2.microsoft.com/Window....mspx?mfr=true

Yes Paul, You are right .. I take to big shortcut in my post .. No I
didn't mean - just install CA. I mean - make it right to get PKI working
in Your domain environment

Oh yes, I know you didn't mean slap it in there (it's more likely me that
says things like that, than you). I just thought I'd clarify that for the
OP as I did just whip a PKI infrastructure in a three-domain forest, and now
that I'm starting to teach myself PKI, I notice that I missed a lot of
configuration that I shouldn't! :-D

Does this require us to purchase anything, I was looking to do something for
free.

Should we just following the example scenario for contoso?

If you have Windows it doesn't cost anything, although it is recommended
that you use Windows Server 2003 Enterprise Ed. for the Enterprise CA(s).

That what was automatic?

Was this what you were looking for? http://support.microsoft.com/kb/321051

We installed a Enterprise Root CA.

No how do we get our domain controllers to be SSL over LDAP. Our domain
is all Windows 2003, I found documentation that says this in windows 2000 was
automatic was this change in Windows 2003.

Are there any updated technet articles for this?

If you're referring to the auto-enrollment then that will still happen by
default with a Windows PKI infrastructure as there's a default DC template.
The main difference between k3 and 2k is that with Win2003 SP1 DCOM access
was locked down. So DCs don't have access to auto-enroll by default. You
need to add them to the CERTSVC_DCOM_ACCESS built in group (and reboot
them).

Thanks this is the first information that was helpful. Where is this group
located? Will the DC still be able to talk over port 389 as well as port
636?

Hi Eric, sorry for the delay. I've been on leave over the Christmas period.

Yes, the DCs will continue to talk on 389. It just means that if you
initiate SSL-based connections, then the DCs will also use this.

As for where that group is, it should be in the builtin folder if I remember
correctly, but might be in Users. Ensure your PDCe is running Windows
Server 2003 SP1, as the PDCe is responsible for creating new security
principals, and both 2003 and SP1 add new ones.

Actually, my last post was a little inaccurate. The PDCe doesn't create
this group. CertSvr does. The group will only exist (in AD) if you have
cert services installed on a DC. Otherwise it is a local group and EVERYONE
is added to it. On a DC, this is locked down to domain users and domain
computers, which is why you need to either add all DCs into this group, or
use group nesting.

See kb889101 for more info.
-- http://support.microsoft.com/kb/889101

I'm following KB321051 to enable LDAP over SSL on my Windows 2003 server. I
followed steps 1 and 2 to create the certificate request file. Then, I used
Certificate Services on my W2K3 system to create the certificate, using the
Certification Authority MMC snap-in. When I saw the certificate in 'Issued
Certificates', I selected 'Export Binary Data', and selected 'Binary
Certificate', and 'View formatted text version of data'. Sure enough, this
looks like a good certificate to me.

Step 5 of this procedure is 'certreq -accept certnew.cer'. When I execute
this command using the ASCII file produced by the export process, above, I
get the error: "The data is invalid 0x8007000d (WIN32: 13)". A note on step
4 says that the saved certificate must be encoded as base64. So I used
several base64 applications available over the web to encdoe the ASCII data.
When I feed the base64-encoded file to 'certreq -accept', I get: "ASN1 bad
tag value met. 0x8009310b (ASN: 267)".

What am I doing wrong?

[Arunava]

Hi,
I am not a sysadmin, but a DAM tester! Need some help here in setting up the LDAPS connectivity please.
On my Win 2003 SP2 server, using the ldp.exe, it connects fine to port 389.
Shows Error on port 636, with or without SSL checked.
With SSL Checked:
ld = ldap_sslinit("qa.domain.com", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to qa.domain.com.

Without:
Error <0x51>: Fail to connect to qa.domain.com

I am able to telnet to port 636.
Got a trial certificate from Verisign, can see it in MMC under Personal, tried with moving it to Trusted Root location as well, no go.
Where am I going wrong?
Thanks in advance!