Professional Documents
Culture Documents
Purpose
The main objective of the document is to guide users through common scenarios where
insecure LDAP (LDAP over port 389) is used to communicate with Active Directory (AD), how it
could be migrated to secure LDAP (LDAP over SSL or LDAPS), as well as implementing LDAPS
Channel Binding.
Printer
Linux only
MAC Device
Page 1 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
In some scenarios, migrating the insecure LDAP traffic to use LDAPS instead is simple, like
updating the port to 636, using LDAPS in the connection string, or perhaps updating an
application configuration.
For any client machines which are domain joined to any of the Corp domains (Africa, Europe,
Fareast, MiddleEast, NorthAmerica, Redmond, SouthAmerica, and SouthPacific), the
certificates are automatically populated in the appropriate certificate stores on the client
machine through a group policy.
If the client machine is not domain joined to any of the Corp domains, the following
certificates may need to be downloaded and imported into the Intermediate Certificate
Authority and Trusted Root Authority certificate stores.
Follow the steps below to download and install the certificates on a Windows device:
1. Click on the links below to download the MS trusted certificates for preparing for
import on the client machine(s).
• Microsoft Internal Corporate Root CA certificate:
http://corppki/aia/msintcrca.crt
• Microsoft Internal Intermediate Certificate Authority Certificates:
http://corppki/aia/MSIT%20CA%20Z1(1).crt
http://corppki/aia/MSIT%20CA%20Z2(1).crt
http://corppki/aia/MSIT%20CA%20Z3(1).crt
http://corppki/aia/MSIT%20CA%20Z4(1).crt
Page 2 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
2. When you click on the above links, a popup will show to save the certificate to a
location on the client machine, like below.
Page 3 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
3. Once the certificate is saved to a location, right-click on the certificate file and select on
Install Certificate on the client machine(s).
5. If you receive a User Account Control prompt, select “Yes”. If not, continue to next step.
Page 4 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
6. On the next screen, leave the default selection “Automatically select the certificate store
based on the type of the certificate” and select “Next”.
7. Select “Finish”.
Page 5 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
The above snapshots for installing the certificates are only valid for Windows client machines.
In some cases, these certificates may need to be imported to an application, printer, network
device, etc., and the steps may be different in such cases. For non-Windows devices, please
refer to guidance from the vendor or manufacturer to enable LDAPS.
Please go through the following steps to verify if the Trusted and Intermediate certificates are
in the appropriate stores
Page 6 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
Page 7 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
3. Select “SHA1 Hash” from the “Look in Field” drop-down and copy/paste the thumbprint
of the root certificate and click on “Find Now”. Root certificate needs to be in “Trusted
Root Certification Authorities” store
4. Similarly, copy/paste the thumbprints for all the intermediate certificates from the
above table and click on “Find Now”. This will help verify if the certificates are in
“Intermediate Certification Authorities” store
Note: The above steps are valid for certificates verification on a windows client machine. For
non-windows client machines, the certificates need to be downloaded and configured on the
client machine
In this scenario, a service account is running a stored procedure on a SQL server, which
connects to AD to enumerate group membership using a LDAP connection string. For
example, “LDAP://<domainFQDN>:389” is embedded in the stored procedure.
Page 8 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
To migrate this over to LDAP over SSL, update the LDAP connection string to be LDAPS
instead, which makes the connection string look like “LDAPS://<domainFQDN>” or
LDAP://<domainFQDN>:636.
Once the changes are made, validate the execution of the stored procedure. If there are
any errors identified for missing certificates, please go through the section for
certificate installation and make sure that the intermediate and root certificates are all
available in the appropriate certificate stores and try the execution again.
To migrate this over to LDAPS, update the connection string look like
“LDAPS://<domainFQDN>:636”.
Make sure that the intermediate and root certificate authority certificates are
downloaded by going through section for certificate installation and place them in the
Java key store on the client machines. For additional information on importing
certificates to a Java key store, refer to this article.
Make sure that the intermediate and root certificate authority certificates are
downloaded by going through section for certificate installation and configure them on
the printer.
Page 9 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
In this scenario, a Linux machine running Ubuntu 18.04.2 is configured with LDAP to
authenticate a user by connecting to AD
The link below describes how to preform those steps. Please follow steps 3,4,5
described in the link below.
https://support.cloudbees.com/hc/en-us/articles/235472808-Active-Directory-AD-
Plugin-secure-AD-integration
https://support.cloudbees.com/hc/en-us/articles/203821254-How-to-install-a-new-SSL-
certificate
https://support.cloudbees.com/hc/en-us/articles/209715698-How-to-add-Java-
arguments-to-JenkinsonAndCustomization
Note: While the above scenario lists the steps for Ubuntu 18.04.2, the same steps might
work for other versions of Linux as well.
To use LDAPS, you need to change the port and the flags to ldapsearch, as well as
putting this in the client ldap config file:
TLS_CACERT /etc/openldap/cacerts/msitcacert.cer
Page 10 of 11
Core Services Engineering and Operations (CSEO) | Digital Security and Risk Engineering (DSRE)
SASL_SECPROPS minssf=0,maxssf=0
ldaps://<domainFQDN>:636
Note: You may need to import “Microsoft Internal Corporate Root CA certificate” -
http://corppki/aia/msintcrca.crt in your Windows system and then export it as base64
2. When prompted, enter the password for the logged in account to save the
configuration.
3. Verify if the certificate “Microsoft Internal Corporate Root” is under System in Key
Chain. If the certificate is not available under System in Key Chain, please use this
link to download the certificate and drag/drop it under System and trust the
certificate.
4. To trust the certificate, double-click the certificate, Expand Trust and then select
“Always Trust” for “When using this certificate”
LDAP Channel Binding adds an additional layer of security for all LDAP/SSL traffic by binding
the secure channel at the network layer to authentication at the higher layer. More
information on LDAP Channel Binding can be found at this article.
In the above support article, there is guidance for Windows client machines to install a specific
KB to provide ChannelBindingToken (CBT) information to the domain controllers. For non-
Windows clients, please refer to guidance from the vendor or manufacturer to enable LDAP
Channel Binding.
Page 11 of 11