Overview
If the local Active Directory domain controllers have server certificates that support LDAP over SSL (LDAPS) connections, then it is preferable to configure CentreStack to communicate with the domain controllers using LDAPS as opposed to LDAP because LDAPS communication is encrypted, where LDAP is in clear text and susceptible to interception.
Prerequisites
Server Certificates
The local Active Directory domain controllers must have certificates that support LDAPS communication. Requirements are documented in this Microsoft support article: https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority
LDAPS TCP Port 636
The CentreStack web server must be allowed to access the domain controllers over TCP 636, the LDAPS port. The LDAP port is TCP 389.
Configuration
- In the CentreStack Tenant Dashboard click on the wrench icon in the Local Active Directory section:
- Click the Edit button, then enable the Enable Active Directory Integration option.
- In the Domain Controller or LDAP Server Address text box enter then DNS domain name of the AD domain followed by ":636", in this example: t2.hadroncloud.com:636, then specify a username and password. NOTE: A domain administrator is not required because all users typically have Read access to the directory:
- Click the Advanced Settings tab then enable the Enable LDAPS for secure access option:
- Click Apply at the top of the screen. The system will bind to Active Directory using the new configuration. There should be no errors reported.
- Back in the Tenant Dashboard click Add New User.
- Click on the AD domain:
- Objects in the domain should be enumerated proving the connection works:
Troubleshooting
Verify Certificates on Domain Controllers
Run the mmc.exe certificates snap-in against the Local Computer on the Domain Controllers. In an environment using a Microsoft Certification Authority for public key infrastructure (PKI) you should a server certificate with these properties:
Probe TCP 636 on the Domain Controller(s)
Use the Microsoft SysInternals tool, psping.exe, to verify that the CentreStack server can access TCP 636 on the domain controllers. Once PsPing is downloaded and extracted, start a command prompt and execute a command similar to this:
psping <domain_controller_fqdn>:636
For example:
psping T2BRADDC01.t2.hadroncloud.com:636
Results should look like this:
TCP connect to 10.0.0.20:636:
5 iterations (warmup 1) ping test:
Connecting to 10.0.0.20:636 (warmup): from 10.0.0.29:57741: 0.37ms
Connecting to 10.0.0.20:636: from 10.0.0.29:57742: 0.43ms
Connecting to 10.0.0.20:636: from 10.0.0.29:57743: 0.25ms
Connecting to 10.0.0.20:636: from 10.0.0.29:57744: 0.50ms
Connecting to 10.0.0.20:636: from 10.0.0.29:57745: 0.40ms
TCP connect statistics for 10.0.0.20:636:
Sent = 4, Received = 4, Lost = 0 (0% loss),
Minimum = 0.25ms, Maximum = 0.50ms, Average = 0.39ms
If you see results other than above, there is a good chance that a firewall is blocking TCP 636 to the domain controller(s).
Test With ldp.exe
On the CentreStack server execute this command in an elevated PowerShell session:
Install-WindowsFeature RSAT-ADDS-Tools
This will install the ldp.exe tool and other Active Directory management tools on the CentreStack server.
Launch ldp.exe
In the Connection menu click Connect...
- In the Server text box specify the DNS domain name
- In the Port text box use 626
- Enable the SSL option:
Once the OK button is clicked in the Connect dialog, the results of the connection will be displayed in ldp.exe:
If this error is displayed by ldp.exe it usually means that there is a certificate problem:
In which case, this may be logged in the System event log:
Log Name: System
Source: Schannel
Date: 12/10/2019 3:06:48 PM
Event ID: 36882
Task Category: None
Level: Error
Keywords:
User: TXBRCSTK02\JeffR
Computer: TXBRCSTK02
Description:
The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The TLS connection request has failed. The attached data contains the server certificate.
The "untrusted certificate authority" usually means that Certification Authority (CA) that issued the certificate is not trusted by the CentreStack server. This is very typical if the CA is an internal private CA and CentreStack is not domain joined (i.e. workgroup computer in the perimeter network).
In CentreStack, this problem will be displayed with this symptom:
The error is: Configuration can not be verified:Configuration can not be verified:Unknown error (0x80005000)
This will also cause Schannel to log the same Event ID: 36882.
In order for CentreStack to trust the CA's certificate you will typically need to import it into the Trusted Root Certification Authorities node in the mmc.exe certificate snap-in as shown here:
Additional Information
Assuming ldp.exe is able to make the LDAPS connection you can also use it to verify that the binding can be made using the credentials used for CentreStack's AD configuration:
In the Connection menu click Bind:
Enable the Bind with credentials option, then specify the user and password:
NOTE: The Domain field can be empty when using a userPrincipalName
The results of the binding will be displayed in ldp.exe:
To browse the tree, press Ctrl+T (or View > Tree), then enter the BaseDN of the root of the domain:
ldp.exe will display the tree in the left most pane:
Comments
0 comments
Please sign in to leave a comment.