Re: AD SSL, what impact?
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 6 Apr 2006 14:50:25 -0500
We use external certs with our DCs and it isn't that big of a deal. You
just need a valid SSL cert registered to the DNS name of the DC and you are
good to go. Make sure you don't let them expire. :) I don't have any
experience with ECAs, so I assume they are easier still, but externally
sourced certs are definitely not rocket science.
For the presentation Ryan and I did at DEC, we got our test DC up and
running with SSL LDAP using a self-signed cert we generated with selfssl.exe
from the IIS 6 Resource Kit (free download) in less than 5 minutes. It was
not hard. The ADAM instance on my XP laptop is set up about the same way
and also works fine.
SSL LDAP traffic will naturally be a little slower than unencrypted traffic,
but the difference is probably neglible. I would not worry about that. Your
focus should be on security first.
If your app needs SSL, it is likely because it does simple LDAP binds
instead of SASL. If this is true, YOU MUST GET SSL!!!! Otherwise you'll
have plaintext credentials flying around on your network on unsecure
protocols. This is not good.
If your app uses Microsoft's LDAP APIs (LDAP, ADSI, .NET, etc.), then you
can use SASL binds with Windows authentication to protect the credentials
and can use built in SSPI channel encryption/signing to protect the network
traffic an ensure it has not been tampered with. This is often an
attractive option as it avoids having to deploy SSL. It doesn't work for
everyone though.
Also, if the app will doing LDAP-based password mods (changes and resets)
using ADSI SetPassword/ChangePassword, my experience is that you will get
maximum reliability with SSL available. The other techniques that those
methods use are (in my experience) not as reliable and much harder to
troubleshoot.
Best of luck!
Joe K.
"Paul Williams [MVP]" <ptw2001@xxxxxxxxxxx> wrote in message
news:OYJfM2aWGHA.3864@xxxxxxxxxxxxxxxxxxxxxxx
What's the problem with implementing an ECA? This is surprisingly simple,
easy to secure, and makes implementing SSL REALLY easy (you do nothing ;-)
You use 3rd-party certs and it might be a lot more work. Depends on
whether
you can use auto-enrolment.
Only caveat that I came across (in a quick and dirty CA rollout) was the
SP1
DCOM issue. But the read-me covers that (I just never bothered reading
the
read-me!).
And what kind of impact enabling SSL might have if we deploy it to the
DC's?
Nothing springs to mind. It just means that you can now implement simple
binds in a safe and secure manner - which a lot of LDAP apps will want to
do.
--
Paul Williams
Microsoft MVP - Windows Server - Directory Services
http://www.msresource.net | http://forums.msresource.net
.
- References:
- Re: AD SSL, what impact?
- From: Paul Williams [MVP]
- Re: AD SSL, what impact?
- Prev by Date: Re: Administrator activities log on domain controller
- Next by Date: Re: LDAP query on a web page
- Previous by thread: Re: AD SSL, what impact?
- Next by thread: Re: AD SSL, what impact?
- Index(es):
Relevant Pages
|
