Configuring a cert for custom LDAPS

  • 148 Views
  • Last Post 11 February 2020
Biju_Babu posted this 10 February 2020

Hello,   Wondering if there is a way to config a DC to use a specific cert from its computer store for LDAPS. As per below technet blog,  DC will pick the newest one from the store for LDAPS and it is true with my experience (not so pleasant) and testing.   Rgds   https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

Order By: Standard | Newest | Votes
rwilper posted this 10 February 2020

The “easiest” way that I have found to force the right certificate for LDAPS is to place it in the ADDS service’s Personal store instead of the computer’s Personal store. ADDS will look for a valid and applicable

certificate there first.

 

-Ross

 

show

amulnick posted this 10 February 2020

Would you not want to load balance it? It's even easier to put a lb in front and use a single cert for the lb to DC comm. 
Simpler is always better from what I've seen and load balancing can give you better availability of done right. 
Al


show

chriss3 posted this 10 February 2020

Hmm. Isn’t that for KDC cert? <> LDAPs cert?

 

 

show

chriss3 posted this 10 February 2020

Nope sorry, You’re right, the service store is for LDAPs, KDC choose the cert differently.

 

show

Biju_Babu posted this 11 February 2020

Thanks Ross, I will look into it.

 

@ Al Mulnick – Sorry, I do not follow. We are using an LB and it gives it’s “pool” name back to the client while establishing LDAPS (noticed from netmon traffic), Is there a different way to do this?



 

Rgds  

 

show

Anthony.Vandenbossche posted this 11 February 2020

If you have around 100 Domain Controllers, the ADDS’ store is a pain in the ass

😊.  Make sure your Domain Controllers

only have 1 valid Computer Auth certificate in their stores. In case of the 100 Domain Controllers; you can auto generate an inf file for every Domain Controller. A template INF file is below. Replace the FQDN and NETBIOS references to your environment. The

script (below the template) will replace the “REPLACEME” placeholders with your Domain Controller names, resulting in 100 INF files ready to submit to your CA.

 

[Version]

Signature = "$Windows NT$"

[NewRequest]

Subject = "CN=REPLACEME.FQDN"

Exportable =

TRUE

KeyLength = 2048

KeySpec = 1 ; required for encryption

KeyUsage = 0xA0 ; digital signature, key encipherment

MachineKeySet = TRUE ; key belongs to the local computer account

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = CMC

[RequestAttributes]

CertificateTemplate = "LDAPSTemplate"

[Extensions]

2.5.29.17 = "{text}"

continue = "dns=REPLACEME.FQDN&"

continue = "dns=ldap.FQDN&"

continue = "dns=ldap1.FQDN&"

continue = "dns=ldap2.FQDN&"

continue = "dns=NETBIOS&"

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; server authentication

 

$DropDir = "C:\temp\ldaps\GeneratedINFFiles"

$INFFile = Get-Content C:\temp\ldaps\Template.inf

$DCs = Get-ADDomainController -Filter  | select name

Foreach($DC in $DCs)

{

    write-host "Processing $($DC.name)"

    $FileName = $DropDir+"\"+$DC.name+".inf"

    $NewContent = $INFFile -replace "REPLACEME",$DC.name | Out-File $FileName

 

}

 

In my case, I then placed all the INF files on a location accessible to all Domain Controllers, the NETLOGON share. Also, I put a version

of PSEXEC (live.sysinternal.com) in the Netlogon to perform below commands under the local machine context (Certificate Template permissions are given to Domain Controllers):

 

Invoke-Command FQDNSERVER {\FQDN\NETLOGON\LDAPS\PsExec64.exe -s -i certreq -new \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.inf \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.req}

Invoke-Command FQDNSERVER 

{\FQDN\NETLOGON\LDAPS\PsExec64.exe -s -i certreq -submit -config CASERVERFQDN\CANAME \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.req \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.cer}

Invoke-Command FQDNSERVER 

{\FQDN\NETLOGON\LDAPS\PsExec64.exe -s -i certreq –accept \FQDN\NETLOGON\LDAPS\GeneratedINFFiles\DCNAME.cer}

 

 

If you are really really lazy, as you should, write a wrapper around the above code to automate this process as well. That may look

something like this:

 

$DCs = Get-ADDomainController -Filter 
 | select name,hostname

Foreach($DC in $DCs)

{

     Invoke-Command $DC.hostname {certreq}

     Invoke-Command $DC.hostname {submitreq}

     Invoke-Command $DC.hostname {acceptcert}

}

 

Hope this helps.

 

Kr,

Anthony Van den bossche

 

show

Close