Re: AD and SSL

Tech-Archive recommends: Repair Windows Errors & Optimize Windows Performance

From: Joe Kaplan \(MVP - ADSI\) (joseph.e.kaplan_at_removethis.accenture.com)
Date: 07/28/04 

Date: Wed, 28 Jul 2004 09:15:06 -0500

You can use AD over an SSL connection without using SSL client certificates
for authentication. Depending on the API you are using, you'll usually just
do an ldap_sslinit or with ADSI get your binding options to
SecureSocketsLayer. After that, the channel will be encrypted. You can
also encrypt the channel using Kerberos if your client supports it.

Regarding the CA, it is necessary that the client trusts the root that
signed your server's certificate. You can do this by either purchasing a
cert from a CA that is already trusted or ensuring that the root cert is
trusted by the client.

HTH,

Joe K.

"ADified" <ADified@discussions.microsoft.com> wrote in message
news:FD82CE03-4359-41C9-A9AF-FD0037217014@microsoft.com...
> I have been experimenting with AD2000 as well as AD2003. I have written a
client app in language X and it creates and removes user entries in AD fine.
However, I 'd like to set the password attribute and that seems to imply
SSL. Supported authentication mechanisms as reported by my LDAP interface
to AD2003 are the following:
> GSSAPI
> GSS-SPNEGO
> EXTERNAL
> DIGEST-MD5
> The reported authentication mechanisms for AD2000 are only the first 2 in
the list above.
> Is there some particular reason for this?
>
> Having RTFMed a bit on how to make AD talk SSL I have come to the
conclusion that I need to set up AD and its client (my application) with
the same Certification Authority. So I have set up the CA server
(enterprise) and although it accepts requests from my client I cannot get it
to cooperate with AD. I have looked around in the documentation and have
read tons of irrelevant pages.
>
> Can anyone offer some pointers on how to set up AD2000 or AD2003 ready to
communicate in SSL (in particular DIGEST-MD5 is the authentication mechanism
I'd like to use)?
>
> thanx in advance,
>
> b

Relevant Pages

  • Re: a refresher
    ... pages available to whoever you want to by controlling the authentication ... methods and using ntfs permissions.If you are talking about web enrollment, ... public key unencrypted to start the SSL process. ... session keys agreed upon by the client computer to start the session. ...
    (microsoft.public.win2000.security)
  • Re: clients editing information w/o authentication--advice needed
    ... I completely concur that username/password authentication is the way to go. ... SSL, while the most secure, is not essential since there's no confidential ... I will "push back" with the client and tell them they'd be better off ...
    (comp.lang.php)
  • Re: Cryptography question
    ... This means that you are delegating the identity authentication ... because the VeriSign root certificates were installed with the browser ... If the client users are ... Why does the entity operating the server trust the ...
    (borland.public.delphi.non-technical)
  • Re: SQL Server CE 2.0 and Client Certificates
    ... SQL CE only supports server side certificates for SSL, not client side ... > supports client certificates as a form of authentication? ...
    (microsoft.public.sqlserver.ce)
  • Re: IIS6.0 + SSL Breaks down!
    ... I still suggest you contact PSS. ... The bad design in the public spec is that SSL is at the TCP ... handshake before being able to decrypt the URL, only to see that Client ... You haven't stated that you are using client certificates (which is ...
    (microsoft.public.inetserver.iis)