The communication between Active Directory and client machines is secured using a different protocol called kerberos for authentication. Domain joined machines such as your windows endpoints on windows 8.1 and 10 should not be effected since their traffic for authentication does not use LDAP or LDAPS, instead is uses a proprietary implementation of kerberos on port 88. LDAP and LDAPS are primarily used servers such as a web server that user Active Directory to authenticate users, or some client applications that query active directory. Some other examples are linux machines used with Active Directory can use LDAP(S), (there is also ways to use kerberos on linux domain joined machines), Mac OS uses LDAP(S) for authentication when joined to an active directory domain. When you enable LDAPS, LDAP 389 traffic does not go away. Microsoft has indefinitely extended the deadline. The March 2020 update did add the ability to enforce secure channel binding in LDAP: support.microsoft.com/en-us/help/4... I have not had the opportunity to test this yet.
Hi there. Hope you are doing well and safe.
I followed your tutorial 20 days ago and everything is working well (Windows Workstations i.e).
The connection from a linux to the main server is OK, using:
openssl s_client -connect srv-ad-01.mydomain.local:636 -CAfile ca.crt
but its not working when trying to connect the other 3 DCs (where I imported pfx). Im getting this error:
CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
You can export the cert/privatekey and import them on the rest of your domain controllers using the commands listed here to do this: github.com/bondr007/HowTo-ActiveDi...
Hi there! First of all, thank you so much for your time and dedication to answer my question. Very clear! I did not know that workstations used Kerberos... So I'm going to go through those steps. Thank you very much again and have a good week!!!
Emanuel.
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
Hello, thanks for this Step to Step guide.
In my case, I have 3 DCs (2008R2 and 2016) + 400 endpoints (Windows 8.1 and Windows 10 1709 or later).
If I setup Secure LDAPS following this guide... those endpoints would be able to connect normally?
and what about all the services that today are connecting through 389?
Thank you!! Have a nice week.
Emanuel.
Hi Emanuel,
The communication between Active Directory and client machines is secured using a different protocol called kerberos for authentication. Domain joined machines such as your windows endpoints on windows 8.1 and 10 should not be effected since their traffic for authentication does not use LDAP or LDAPS, instead is uses a proprietary implementation of kerberos on port 88. LDAP and LDAPS are primarily used servers such as a web server that user Active Directory to authenticate users, or some client applications that query active directory. Some other examples are linux machines used with Active Directory can use LDAP(S), (there is also ways to use kerberos on linux domain joined machines), Mac OS uses LDAP(S) for authentication when joined to an active directory domain. When you enable LDAPS, LDAP 389 traffic does not go away. Microsoft has indefinitely extended the deadline. The March 2020 update did add the ability to enforce secure channel binding in LDAP: support.microsoft.com/en-us/help/4... I have not had the opportunity to test this yet.
Hi there. Hope you are doing well and safe.
I followed your tutorial 20 days ago and everything is working well (Windows Workstations i.e).
The connection from a linux to the main server is OK, using:
openssl s_client -connect srv-ad-01.mydomain.local:636 -CAfile ca.crt
but its not working when trying to connect the other 3 DCs (where I imported pfx). Im getting this error:
CONNECTED(00000003)
write:errno=104
no peer certificate available
No client certificate CA names sent
SSL handshake has read 0 bytes and written 0 bytes
New, (NONE), Cipher is (NONE)
I followed this guide to import the PFX file:
How to Install Certificates on Microsoft Active Directory LDAP 2012
There is another way to import that pfx file?
Thanks again.
Hi Emanuel,
Sorry it took so long to reply.
You can export the cert/privatekey and import them on the rest of your domain controllers using the commands listed here to do this:
github.com/bondr007/HowTo-ActiveDi...
Hi there! First of all, thank you so much for your time and dedication to answer my question. Very clear! I did not know that workstations used Kerberos... So I'm going to go through those steps. Thank you very much again and have a good week!!!
Emanuel.