SSL for LDAP

[Spencer]

We want to install SSL on our domain controllers so an external server can make SSL LDAP connection to them. Is there any microsoft acticle on how to do this thing? It is a Windows 2003 SP1. I also checked that SelfSSL.exe will create a certificate for me, will that be good options to encrypt the data to the external source? Thanks

[Dr.pter]

I will not suggest SelSSL as a source of certificates, if you want to use third party certificates then be sure to get it from trusted source like this link - http://support.microsoft.com/kb/321051

Another solution would be to establish PKI infrastructure with Enterprise CA in this domain and let DCs to auto enroll certificates.

[Big Fish]

Even I think that PKI is the best option. But dont just install the certificate services. It will definitely work but you will not have the best setup. There is quite a lot to a Windows PKI infrastructure and deployment. The guide on Microsoft website suggest that. You will need an offline root CA and a subordinate enterprise CA:

http://technet2.microsoft.com/Window....mspx?mfr=true

[Arunava]

Hi,
I am not a sysadmin, but a DAM tester! Need some help here in setting up the LDAPS connectivity please.
On my Win 2003 SP2 server, using the ldp.exe, it connects fine to port 389.
Shows Error on port 636, with or without SSL checked.
With SSL Checked:
ld = ldap_sslinit("qa.domain.com", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to qa.domain.com.

Without:
Error <0x51>: Fail to connect to qa.domain.com

I am able to telnet to port 636.
Got a trial certificate from Verisign, can see it in MMC under Personal, tried with moving it to Trusted Root location as well, no go.
Where am I going wrong?
Thanks in advance!