14

I am trying to resolve a problem whereby trying to set a users password over LDAP is failing because of an access denied error - even though I am authenticating against the AD with an admin user.

An answer found in stackoverflow says that either I have to run the IIS user as the admin user (which does work) or i should connect to LDAP via SSL. I cant go with the first option because I am using Elastic Beanstalk which will create and terminate instances so i cant change/set the user that IIS will be running as. So I am trying to use the LDAP over SSL idea. My question is does that still require that the client itself also have a certificate installed in order to establish trust with the Domain controller? Or does this work just by installing a cert on the Domain controller and allowing the connection over SSL? If it requires a certificate on the client then I have the same problem as i cant install anything on the client server other than the deployed app since Beanstalk is going to recereate and terminate that instance at will.

So does LDAPS require a cert on the client? Is there a better way to solve my problem given the infrastructure i am using?

Gotts
  • 2,274
  • 3
  • 23
  • 32

4 Answers4

7

So does LDAPS require a cert on the client?

no, LDAPS do not require client certificate. Domain controller certificate is sufficient to utilize LDAPS. More details about LDAPS and certificate requirement: LDAP over SSL (LDAPS) Certificate

trying to set a users password over LDAP is failing because of an access denied error

there might be over9000 reasons why you receive this message. You need to check whether you are successfully authenticated on DC, if yes, check whether you have permissions and privileges (especially, if UAC is enabled). I would set up audit policies (on failed user password changes) and check Security eventlog to figure out what is going wrong.

Crypt32
  • 12,850
  • 2
  • 41
  • 70
  • Ok thank you for clarifying. I am going to try and get the certificate working. I am using self signed and was having issues. And then will test it. I am pretty sure the error i am getting is because of the above because when i run IIS as a domain admin user then it works fine – Gotts Nov 26 '14 at 15:01
  • by the way is it still true that you dont need a cert on client even when using a self signed cert on the domain controller? – Gotts Nov 26 '14 at 15:48
  • If you have internal CA, I would like to suggest to use CA to issue LDAPS certificate. And yes, LDAPS do not use client certificates. – Crypt32 Nov 26 '14 at 16:48
  • I installed the CA server on the domain controller which automatically installed the certificate and enabled LDAPS. Verified that was working using LDP. I then tried connecting to the AD from a different server and it failed. Only worked once I installed a certificate in the trusted publishers store of the client. So I am once again stuck . Is there some way to confgire the LDAPS that it doesnt need the client cert? – Gotts Nov 28 '14 at 14:01
3

No.

For openldap, I achieved this by adding this line to ldap.conf. But be aware of that, when you do that, your connections will be open to attacks like man-in-the-middle or any other.

TLS_REQCERT never
ibrahim
  • 3,254
  • 7
  • 42
  • 56
3

This is what I found using trial and error approach: Actually, LDAPS server always asks for client certificate. You can verify that by turning on SCHANNEL log and observing the following message:

enter image description here

If there is no client authentication certificate than LDAPS connection still succeeds, i.e. no client authentication certificate is required indeed. But if you have some invalid client authentication certificate (in my case it was an expired cert installed long ago by a third party app) the connection will fail w/o any error or warning in SCHANNEL log on the client side. It took me a while to figure this out.

Slava
  • 1,065
  • 5
  • 11
  • Appreciate the question and answer here. I was worried about having to setup auto-enrollment and such for client certs. The point is, only the DCs need to enroll for certs and trust the root CA and LDAPS is supported from then on as long as authentication succeeds. – Bitcoin Murderous Maniac Mar 05 '20 at 01:44
0

Yes of corse your client need a certificate to allow ladps communication betwen him and de server.

According to windowsitpro.com:

As an option, you can use LDAPS for client authentication -- but doing so requires that you also install a client authentication certificate on each of your clients."

Matt
  • 74,352
  • 26
  • 153
  • 180
3KFX
  • 19
  • 1
    *As an option.* It's not required. It's a poorly worded sentence. What he's trying to say is that you can configure AD to ask for a client certificate, which will be sufficient to authenticate the client without requiring further credentials. – user207421 Jun 28 '15 at 05:21