LDAPS 证书无法在第三方新服务器上使用

tag-icon tag-icon active-directory ldap windows-server-2016 certificate-authority ad-certificate-services
LDAPS 证书无法在第三方新服务器上使用

大约 5-6 年前,我在主域控制器上设置了 LDAPS。我设置了Active Directory Certificate Services(全部在同一台服务器上),转发了防火墙上的端口 636,并能够使用它成功地与第三方进行身份验证。上周,我停用了该服务器,删除了所有角色,并构建了一个新的主域控制器和辅助域控制器(Server 2016)。阅读了一些资料后,我决定将辅助域控制器设为我的 ADCS 服务器并让它处理LDAPS。我的辅助域控制器的 FQDN 是 dc02.domain.com。我用来连接的外部地址是ds.domain.com:636。这已经运行多年,没有问题。

我特别记得用教程第一次设置 LDAPS(也参考了教程来设置 ADCS,我都这样做了)。因此,在新的辅助域控制器上,我尝试完全按照这些步骤操作。一切似乎都正常(我可以使用 ldp.exe 并收到成功消息),并且我可以看到 LDAPS 的证书。我将防火墙端口转发更新为新服务器,但是当我尝试使用第三方(barracuda essentials)进行测试时,会出现错误: Could not bind privileged user: Ldap Error Code=-1 - Can't contact LDAP server。我测试了转发的端口并且它正常工作。在排除故障并运行命令后openssl s_client -connect dc02.domain.com:636,我意识到它仍在引用旧的 CA。因此,我尝试清理旧的 CA 根证书和个人证书,然后重新颁发新证书。执行此操作并再次运行 openssl 命令后,仍然会出现错误,无法从第三方连接。该命令的输出突出显示以下内容:

CONNECTED(000001BC)
depth=0 CN = DC02.domain.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = DC02.domain.com
verify error:num=21:unable to verify the first certificate
verify return:1
depth=0 CN = DC02.domain.com
verify return:1
---
Certificate chain
 0 s:CN = DC02.domain.com
   i:DC = com, DC = domain, CN = domain-DC01-CA
   a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
       v:NotBefore: Aug 14 23:52:24 2023 GMT; NotAfter: Aug 13 23:52:24 2024 GMT
---
Server certificate
-----BEGIN CERTIFICATE-----
xxxxxx
-----END CERTIFICATE-----
subject=
issuer=DC = com, DC = domain, CN = domain-DC01-CA  <--NOTE this is my old CA>
---
No client certificate CA names sent
Client Certificate Types: RSA sign, DSA sign, ECDSA sign
Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:RSA+SHA1:ECDSA+SHA256:ECDSA+SHA384:ECDSA+SHA1:DSA+SHA1:RSA+SHA512:ECDSA+SHA512
Shared Requested Signature Algorithms: RSA+SHA256:RSA+SHA384:ECDSA+SHA256:ECDSA+SHA384:RSA+SHA512:ECDSA+SHA512
Peer signing digest: SHA256
Peer signature type: RSA
Server Temp Key: X25519, 253 bits
---
SSL handshake has read 2069 bytes and written 438 bytes
Verification error: unable to verify the first certificate

请注意 END CERT 后对我的旧 CA 的引用。旧 CA 甚至没有打开。我删除了 ADCS 和 NPS 角色(NPS 可能与此无关)并暂时关闭它,以确保我的 Active Directory 环境正在运行并与我的 2 个新域控制器进行复制(到目前为止一切正常)。我注意到旧 CA 根证书和旧证书仍然存在于 DC02 上,但我不确定是否应该删除它们。我还尝试使用我制作的 LDAP 模板(来自 Kerboros 模板)请求新证书,并使用注册表手动将证书分配给 ldaps 服务。从那时起,我就撤消了这些注册表更改。

我绝不是 CA 或 LDAP 专家,这让我抓狂。此时,我已从 DC02 中删除了 CA 角色并计划重新添加它,但我想确保我走的是正确的路。我遗漏了什么?我应该用另一种方法吗?

编辑:添加 ldp.exe 输出。当我在 CA 上运行此命令时,我得到:

-----------
0x51 = ldap_unbind(ld);
ld = ldap_sslinit("dc02.domain.com", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 256 bits
Established connection to dc02.domain.com.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
configurationNamingContext: CN=Configuration,DC=domain,DC=com; 
currentTime: 8/15/2023 5:01:50 PM Central Daylight Time; 
defaultNamingContext: DC=domain,DC=com; 
dnsHostName: DC02.domain.com; 
domainControllerFunctionality: 7 = ( WIN2016 ); 
domainFunctionality: 7 = ( WIN2016 ); 
dsServiceName: CN=NTDS Settings,CN=DC02,CN=Servers,CN=Domain,CN=Sites,CN=Configuration,DC=domain,DC=com; 
forestFunctionality: 7 = ( WIN2016 ); 
highestCommittedUSN: 86626; 
isGlobalCatalogReady: TRUE; 
isSynchronized: TRUE; 
ldapServiceName: domain.com:[email protected]; 
namingContexts (5): DC=domain,DC=com; CN=Configuration,DC=domain,DC=com; CN=Schema,CN=Configuration,DC=domain,DC=com; DC=DomainDnsZones,DC=domain,DC=com; DC=ForestDnsZones,DC=domain,DC=com; 
rootDomainNamingContext: DC=domain,DC=com; 
schemaNamingContext: CN=Schema,CN=Configuration,DC=domain,DC=com; 
serverName: CN=DC02,CN=Servers,CN=Domain,CN=Sites,CN=Configuration,DC=domain,DC=com; 
subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=domain,DC=com; 
supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY ); 1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = ( ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 ); 1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = ( ACTIVE_DIRECTORY_W8 ); 
supportedControl (38): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = ( SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION ); 1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT ); 1.2.840.113556.1.4.841 = ( DIRSYNC ); 1.2.840.113556.1.4.529 = ( EXTENDED_DN ); 1.2.840.113556.1.4.805 = ( TREE_DELETE ); 1.2.840.113556.1.4.521 = ( CROSSDOM_MOVE_TARGET ); 1.2.840.113556.1.4.970 = ( GET_STATS ); 1.2.840.113556.1.4.1338 = ( VERIFY_NAME ); 1.2.840.113556.1.4.474 = ( RESP_SORT ); 1.2.840.113556.1.4.1339 = ( DOMAIN_SCOPE ); 1.2.840.113556.1.4.1340 = ( SEARCH_OPTIONS ); 1.2.840.113556.1.4.1413 = ( PERMISSIVE_MODIFY ); 2.16.840.1.113730.3.4.9 = ( VLVREQUEST ); 2.16.840.1.113730.3.4.10 = ( VLVRESPONSE ); 1.2.840.113556.1.4.1504 = ( ASQ ); 1.2.840.113556.1.4.1852 = ( QUOTA_CONTROL ); 1.2.840.113556.1.4.802 = ( RANGE_OPTION ); 1.2.840.113556.1.4.1907 = ( SHUTDOWN_NOTIFY ); 1.2.840.113556.1.4.1948 = ( RANGE_RETRIEVAL_NOERR ); 1.2.840.113556.1.4.1974 = ( FORCE_UPDATE ); 1.2.840.113556.1.4.1341 = ( RODC_DCPROMO ); 1.2.840.113556.1.4.2026 = ( DN_INPUT ); 1.2.840.113556.1.4.2064 = ( SHOW_RECYCLED ); 1.2.840.113556.1.4.2065 = ( SHOW_DEACTIVATED_LINK ); 1.2.840.113556.1.4.2066 = ( POLICY_HINTS_DEPRECATED ); 1.2.840.113556.1.4.2090 = ( DIRSYNC_EX ); 1.2.840.113556.1.4.2205 = ( UPDATE_STATS ); 1.2.840.113556.1.4.2204 = ( TREE_DELETE_EX ); 1.2.840.113556.1.4.2206 = ( SEARCH_HINTS ); 1.2.840.113556.1.4.2211 = ( EXPECTED_ENTRY_COUNT ); 1.2.840.113556.1.4.2239 = ( POLICY_HINTS ); 1.2.840.113556.1.4.2255; 1.2.840.113556.1.4.2256; 1.2.840.113556.1.4.2309; 
supportedLDAPPolicies (20): MaxPoolThreads; MaxPercentDirSyncRequests; MaxDatagramRecv; MaxReceiveBuffer; InitRecvTimeout; MaxConnections; MaxConnIdleTime; MaxPageSize; MaxBatchReturnMessages; MaxQueryDuration; MaxDirSyncDuration; MaxTempTableSize; MaxResultSetSize; MinResultSets; MaxResultSetsPerConn; MaxNotificationPerConn; MaxValRange; MaxValRangeTransitive; ThreadMemoryLimit; SystemMemoryLimitPercent; 
supportedLDAPVersion (2): 3; 2; 
supportedSASLMechanisms (4): GSSAPI; GSS-SPNEGO; EXTERNAL; DIGEST-MD5;

这代表成功了?

答案1

听起来像是多个证书的问题,如下所述:https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority

Schannel 是 Microsoft SSL 提供程序,它会选择在本地计算机存储中找到的第一个有效证书。如果本地计算机存储中有多个有效证书可用,Schannel 可能无法选择正确的证书。将选择有效期最长的证书

如果您拥有 2k8 或更高版本,则可以将 LDAP 证书放在 NTDS\MY 存储中,它将确保 LDAP 选择该证书而不是与 LocalMachine\MY 存储中的机器匹配的证书。

在此处输入图片描述 在此处输入图片描述 在此处输入图片描述

在这里,您必须导入证书(带有私钥!)。如果私钥不可导出,请参阅以下方法将证书复制到 NTDS 存储,而无需导出/导入。

导航到注册表中的所需证书并导出整个密钥。 在此处输入图片描述

然后在导出的文件中,替换

代替

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\MY\Certificates\45EEACDA090BAB6E602C29E14F587D7FEE5DDAD7]


[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\My\Certificates\45EEACDA090BAB6E602C29E14F587D7FEE5DDAD7]

双击 REG 文件。现在您已将证书复制到 NTDS\Personal Store,无需导出私钥。

如果新证书没有自动选择,您可以通过重新启动或执行以下命令来刷新 LDAPS

ldifde -i -f reloadLDAP.txt

其中 reloadLDAP.txt 是包含以下内容的文本文件

    dn:
    changetype: modify
    add: renewServerCertificate
    renewServerCertificate: 1
    -

相关内容