Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » Connect AD Server 636 to access LDAP SSL
Connect AD Server 636 to access LDAP SSL [message #159932] Wed, 12 August 2009 17:09 Go to next message
napoleao  is currently offline napoleao  United States
Messages: 3
Registered: August 2009
Junior Member
Hello
after alot research i was able to connect to AD windows 2008
636 port but i saw that only the machines inside the domain can acess
all machines outside the domain the port is close


Its anoying we can acess AD Ldap 636 SSl trought LDP wen we are at the
server were AD is working our any machine inside the domain
But wen a machine is outside de domain that port is block or is not
available

I was able to generate the certificate and install it on the client
machine using the keytool and storing it
I m Working with JNDI and the same code to acess the LDAP trought 636
ssl works fine inside the domain but outside the domain its anoying port
not found

Can anyone help me on How to Configure 636 outside the domain also this
whould realy help me


Thank You

Napolećo


--
napoleao
------------------------------------------------------------ ------------
napoleao's Profile: http://forums.techarena.in/members/124364.htm
View this thread: http://forums.techarena.in/active-directory/1230839.htm

http://forums.techarena.in
Re: Connect AD Server 636 to access LDAP SSL [message #159945 is a reply to message #159932] Wed, 12 August 2009 23:16 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello napoleao,

By default 2008 has the firewall enabled. So check following docs about needed
ports to open:
http://support.microsoft.com/kb/179442/

http://support.microsoft.com/kb/555381

http://technet.microsoft.com/en-us/library/bb727063.aspx

http://technet.microsoft.com/en-us/library/bb125069(EXCHG.65).aspx

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Hello
> after alot research i was able to connect to AD windows 2008
> 636 port but i saw that only the machines inside the domain can acess
> all machines outside the domain the port is close
> Its anoying we can acess AD Ldap 636 SSl trought LDP wen we are at
> the
> server were AD is working our any machine inside the domain
> But wen a machine is outside de domain that port is block or is not
> available
> I was able to generate the certificate and install it on the client
> machine using the keytool and storing it
> I m Working with JNDI and the same code to acess the LDAP trought 636
> ssl works fine inside the domain but outside the domain its anoying
> port
> not found
> Can anyone help me on How to Configure 636 outside the domain also
> this whould realy help me
>
> Thank You
>
> NapoleĆ£o
>
> http://forums.techarena.in
>
Re: Connect AD Server 636 to access LDAP SSL [message #159973 is a reply to message #159932] Fri, 14 August 2009 04:04 Go to previous messageGo to next message
napoleao  is currently offline napoleao  United States
Messages: 3
Registered: August 2009
Junior Member
I tryed to disable the firewall and couldnt connect only computers
inside the domain were able to enter that port


I created a new rule to all connection 636 port same thing happen

i deleted all rules and created a new one alowing all ports and all ips
to the firewall on all profiles public private domain and still wasent
able to connect

grr


I m able to connect to port 389 with no problems the only diference
form this port to 636 is that is encrypt ssl why i m not able to connect
to this port is anoying has hell i try to turn off the firewall create
rules to alow all comunications and still no sucess

the information on Microsoft website not ...specific and so vast ..


is there a Policy on Windows 2008 that disables comunications from
computers outside the domain to the port 636 ?

this is a log from tcpview

i m able to see 389 but not 636
but i m able to connect to this port on any machine in the domain

outside the domain i get

ld = ldap_sslinit("kraken.org", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to kraken.org.

System:4 TCPV6 [0:0:0:0:0:0:0:0]:80 [0:0:0:0:0:0:0:0]:0 LISTENING
svchost.exe:888 TCPV6 [0:0:0:0:0:0:0:1]:135 [0:0:0:0:0:0:0:1]:51521 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:53484 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:51522 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:49283 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:49209 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:49156 [0:0:0:0:0:0:0:1]:49187 ESTABLISHED
ntfrs.exe:312 TCPV6 [0:0:0:0:0:0:0:1]:49187 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
dfssvc.exe:2084 TCPV6 [0:0:0:0:0:0:0:1]:49209 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
dfsrs.exe:1928 TCPV6 [0:0:0:0:0:0:0:1]:49283 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
[System
Process]:0 TCPV6 [0:0:0:0:0:0:0:1]:51516 [0:0:0:0:0:0:0:1]:135 TIME_WAIT
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:51521 [0:0:0:0:0:0:0:1]:135 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:51522 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
lsass.exe:604 TCPV6 [0:0:0:0:0:0:0:1]:53484 [0:0:0:0:0:0:0:1]:49156 ESTABLISHED
svchost.exe:1124 UDPV6 dc.kraken.org:123 *:*
svchost.exe:888 TCPV6 dc.kraken.org:135 dc.kraken.org:0 LISTENING
svchost.exe:1244 TCPV6 dc.kraken.org:3389 dc.kraken.org:0 LISTENING
lsass.exe:604 UDP dc.kraken.org:389 *:*
System:4 TCPV6 dc.kraken.org:445 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:464 dc.kraken.org:0 LISTENING
wininit.exe:516 TCPV6 dc.kraken.org:49152 dc.kraken.org:0 LISTENING
svchost.exe:968 TCPV6 dc.kraken.org:49153 dc.kraken.org:0 LISTENING
svchost.exe:1020 TCPV6 dc.kraken.org:49154 dc.kraken.org:0 LISTENING
lsass.exe:604 TCP dc.kraken.org:49156 krakenclient.kraken.org:1043 ESTABLISHED
lsass.exe:604 TCPV6 dc.kraken.org:49156 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:49157 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:49158 dc.kraken.org:0 LISTENING
ntfrs.exe:312 TCPV6 dc.kraken.org:49183 dc.kraken.org:0 LISTENING
ntfrs.exe:312 TCP dc.kraken.org:49185 dc.kraken.org:ldap ESTABLISHED
services.exe:592 TCPV6 dc.kraken.org:49202 dc.kraken.org:0 LISTENING
certsrv.exe:1844 TCPV6 dc.kraken.org:49256 dc.kraken.org:0 LISTENING
dfsrs.exe:1928 TCP dc.kraken.org:49281 dc.kraken.org:ldap ESTABLISHED
dfsrs.exe:1928 TCP dc.kraken.org:49285 dc.kraken.org:ldap ESTABLISHED
svchost.exe:1020 UDPV6 dc.kraken.org:500 *:*
svchost.exe:1448 TCPV6 dc.kraken.org:56613 dc.kraken.org:0 LISTENING
svchost.exe:888 TCPV6 dc.kraken.org:593 dc.kraken.org:0 LISTENING
lsass.exe:604 TCPV6 dc.kraken.org:88 dc.kraken.org:0 LISTENING
lsass.exe:604 UDP dc.kraken.org:kerberos *:*
lsass.exe:604 UDP dc.kraken.org:kpasswd *:*
lsass.exe:604 TCP dc.kraken.org:ldap dc.kraken.org:49281 ESTABLISHED
lsass.exe:604 TCP dc.kraken.org:ldap dc.kraken.org:49185 ESTABLISHED
lsass.exe:604 TCP dc.kraken.org:ldap dc.kraken.org:49285 ESTABLISHED
System:4 UDP dc.kraken.org:netbios-dgm *:*
System:4 UDP dc.kraken.org:netbios-ns *:*
System:4 TCP dc.kraken.org:netbios-ssn dc:0 LISTENING
wininit.exe:516 TCP dc:49152 dc:0 LISTENING
svchost.exe:968 TCP dc:49153 dc:0 LISTENING
svchost.exe:1020 TCP dc:49154 dc:0 LISTENING
lsass.exe:604 TCP dc:49156 dc:0 LISTENING
lsass.exe:604 TCP dc:49157 dc:0 LISTENING
lsass.exe:604 TCP dc:49158 dc:0 LISTENING
ismserv.exe:2012 TCP dc:49176 localhost:ldap ESTABLISHED
ismserv.exe:2012 TCP dc:49180 localhost:ldap ESTABLISHED
ntfrs.exe:312 TCP dc:49183 dc:0 LISTENING
services.exe:592 TCP dc:49202 dc:0 LISTENING
certsrv.exe:1844 TCP dc:49220 localhost:ldap ESTABLISHED
certsrv.exe:1844 TCP dc:49256 dc:0 LISTENING
certsrv.exe:1844 UDP dc:49437 *:*
ismserv.exe:2012 UDP dc:50296 *:*
svchost.exe:1244 UDP dc:51943 *:*
svchost.exe:1008 UDP dc:51945 *:*
dfssvc.exe:2084 UDP dc:51946 *:*
taskeng.exe:1556 UDP dc:54090 *:*
dfsrs.exe:1928 UDP dc:54091 *:*
svchost.exe:1448 TCP dc:56613 dc:0 LISTENING
lsass.exe:604 UDP dc:57459 *:*
ntfrs.exe:312 UDP dc:64450 *:*
svchost.exe:888 TCP dc:epmap dc:0 LISTENING
System:4 TCP dc:http dc:0 LISTENING
svchost.exe:888 TCP dc:http-rpc-epmap dc:0 LISTENING
svchost.exe:1020 UDP dc:ipsec-msft *:*
svchost.exe:1020 UDP dc:isakmp *:*
lsass.exe:604 TCP dc:kerberos dc:0 LISTENING
lsass.exe:604 TCP dc:kpasswd dc:0 LISTENING
lsass.exe:604 TCP dc:ldap dc:0 LISTENING
lsass.exe:604 TCP dc:ldap localhost:49220 ESTABLISHED
lsass.exe:604 TCP dc:ldap localhost:49180 ESTABLISHED
lsass.exe:604 TCP dc:ldap localhost:49176 ESTABLISHED
lsass.exe:604 TCP dc:ldaps dc:0 LISTENING
svchost.exe:1244 UDP dc:llmnr *:*
System:4 TCP dc:microsoft-ds dc:0 LISTENING
svchost.exe:1244 TCP dc:ms-wbt-server dc:0 LISTENING
lsass.exe:604 TCP dc:msft-gc dc:0 LISTENING
lsass.exe:604 TCP dc:msft-gc-ssl dc:0 LISTENING
svchost.exe:1124 UDP dc:ntp *:*


Thank you


--
napoleao
------------------------------------------------------------ ------------
napoleao's Profile: http://forums.techarena.in/members/124364.htm
View this thread: http://forums.techarena.in/active-directory/1230839.htm

http://forums.techarena.in
Re: Connect AD Server 636 to access LDAP SSL [message #159975 is a reply to message #159945] Fri, 14 August 2009 04:47 Go to previous messageGo to next message
napoleao  is currently offline napoleao  United States
Messages: 3
Registered: August 2009
Junior Member
Ok the problem is not accessing the port
Because i was able to install the cert to the keystore of java and was
able to connect on a machine outisde the domain

The problem is with windows certificate ... he is not instaing it
correctly
because the machine is not inside the domain and LDP.exe wen connects
ssl connection goes to windows certificates and the server certificate
is Hang on machines outside the domain.

Something about the the server is not a autority alowed to be trusted
and has to be install a certificate on the autorities that are trusted
....I m a bit lost in here i know only a bit about this ...



I was able to install a certificate on the client machine on the
directory of trusted autorities.
But LDP.exe still cant connect to the 636 of the AD from an outside
Machine


But i m able to go trough Java using the cert on the keystore and
connect from an outside machine of the domain





And sorry for the mess On the other post :-S

Thank you


--
napoleao
------------------------------------------------------------ ------------
napoleao's Profile: http://forums.techarena.in/members/124364.htm
View this thread: http://forums.techarena.in/active-directory/1230839.htm

http://forums.techarena.in
Re: Connect AD Server 636 to access LDAP SSL [message #159981 is a reply to message #159975] Fri, 14 August 2009 08:05 Go to previous messageGo to next message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"napoleao" <napoleao.3wwojb@DoNotSpam.com> wrote in message
news:napoleao.3wwojb@DoNotSpam.com...
>
> Ok the problem is not accessing the port
> Because i was able to install the cert to the keystore of java and was
> able to connect on a machine outisde the domain
>
> The problem is with windows certificate ... he is not instaing it
> correctly
> because the machine is not inside the domain and LDP.exe wen connects
> ssl connection goes to windows certificates and the server certificate
> is Hang on machines outside the domain.
>
> Something about the the server is not a autority alowed to be trusted
> and has to be install a certificate on the autorities that are trusted
> ...I m a bit lost in here i know only a bit about this ...
>
>
>
> I was able to install a certificate on the client machine on the
> directory of trusted autorities.
> But LDP.exe still cant connect to the 636 of the AD from an outside
> Machine
>
>
> But i m able to go trough Java using the cert on the keystore and
> connect from an outside machine of the domain
>
>
>
>
>
> And sorry for the mess On the other post :-S
>
> Thank you
>

Hello napoleao,

Is your firewall a NAT? If so, it won't work.

If not, you would probably have to open up other ports for AD
communications. There are about 29 ports plus the service response ports
(UDP 1024 and above).

--
Ace

This posting is provided "AS-IS" with no warranties or guarantees and
confers no rights.

Please reply back to the newsgroup or forum to benefit from collaboration
among responding engineers, and to help others benefit from your resolution.

Ace Fekay, MCT, MCTS Exchange, MCSE, MCSA 2003 & 2000, MCSA Messaging
Microsoft Certified Trainer

For urgent issues, please contact Microsoft PSS directly. Please check
http://support.microsoft.com for regional support phone numbers.
Re: Connect AD Server 636 to access LDAP SSL [message #160004 is a reply to message #159975] Fri, 14 August 2009 16:26 Go to previous messageGo to next message
meiweb(nospam)  is currently offline meiweb(nospam)  Germany
Messages: 1307
Registered: July 2009
Senior Member
Hello napoleao,

Outside domain machine means NOT a domain member? Then you have to enable
Anonymus LDAP connections, by default disabled. Check this way:
http://technet.microsoft.com/de-de/library/cc816788(WS.10).aspx

Take care of the 7th character in the Value.

Best regards

Meinolf Weber
Disclaimer: This posting is provided "AS IS" with no warranties, and confers
no rights.
** Please do NOT email, only reply to Newsgroups
** HELP us help YOU!!! http://www.blakjak.demon.co.uk/mul_crss.htm


> Ok the problem is not accessing the port
> Because i was able to install the cert to the keystore of java and was
> able to connect on a machine outisde the domain
> The problem is with windows certificate ... he is not instaing it
> correctly
> because the machine is not inside the domain and LDP.exe wen connects
> ssl connection goes to windows certificates and the server certificate
> is Hang on machines outside the domain.
> Something about the the server is not a autority alowed to be trusted
> and has to be install a certificate on the autorities that are trusted
> ...I m a bit lost in here i know only a bit about this ...
>
> I was able to install a certificate on the client machine on the
> directory of trusted autorities.
> But LDP.exe still cant connect to the 636 of the AD from an outside
> Machine
> But i m able to go trough Java using the cert on the keystore and
> connect from an outside machine of the domain
>
> And sorry for the mess On the other post :-S
>
> Thank you
>
> http://forums.techarena.in
>
Re: Connect AD Server 636 to access LDAP SSL [message #160006 is a reply to message #160004] Fri, 14 August 2009 19:14 Go to previous message
aceman  is currently offline aceman  United States
Messages: 5816
Registered: July 2009
Senior Member
"Meinolf Weber [MVP-DS]" <meiweb(nospam)@gmx.de> wrote in message
news:ff16fb662d5438cbeb5622010206@msnews.microsoft.com...
> Hello napoleao,
>
> Outside domain machine means NOT a domain member? Then you have to enable
> Anonymus LDAP connections, by default disabled. Check this way:
> http://technet.microsoft.com/de-de/library/cc816788(WS.10).aspx
>
> Take care of the 7th character in the Value.
>


Ahh, good point, and good catch!! I forgot about that. :-)

Cheers!!

Ace
Previous Topic:USN Rollback
Next Topic:RRAS on a Domain Controller
Goto Forum:
  


Current Time: Fri Jan 19 00:45:17 MST 2018

Total time taken to generate the page: 0.02732 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software