Third Party Wildcard Certificate on DCs for LDAPS
168
Beside sense of exposing AD DS to internet - called KB 321051 says:
The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
The Common Name (CN) in the Subject field. DNS entry in the Subject Alternative Name extension.
FQDN requirement means wildcard will not work, or at least usually should not work (as always it depends on client code).
Related videos on Youtube
07 : 46
Securing LDAP with a Self Signed Certificate
![Securing LDAP over SSL Safely [Windows Server 2019]](https://i.ytimg.com/vi/8rlk2xDkgLw/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDN38Qnl-oNw6L_iYN_yt2XoZds_g)
33 : 34
Securing LDAP over SSL Safely [Windows Server 2019]
01 : 29
DevOps & SysAdmins: Third Party Wildcard Certificate on DCs for LDAPS
11 : 21
Securing LDAP with a 3rd Party SSL
13 : 58
LDAPs Certificates (for Domain Controllers) Part I: Background
Author by
Muhammad Umer
Updated on September 18, 2022Comments
-
Muhammad Umer over 1 year
I want to limit the commits shown in one go, right now it's maximum the screen can show. If I use
git diff --oneline -20it stops after 20, i want to continue after 20.-
MDMarra about 10 yearsAre you exposing these DCs to the Internet? You shouldn't. AD DS isn't hardened for this. Use something like AD FS exposed to the Internet via the Web Application Proxy (WAP) role. -
Zoredache about 10 yearsHow many DCs do you have? Do your external clients address your individual DCs? Can you just setup a proxy / load balancer on your border and apply a single generic certificate to that? Seems like this would be easy to do with something like stunnel.
-
Aaron Wurthmann about 10 yearsNo DCs will be exposed to the open internet. No load balancer is available to "proxy" the certificate. Thank you both for your replies. Incidentally that is how I have solved for this problem in the past, so it is a good suggestion, just out of the scope of this problem.
-
Aaron Wurthmann about 10 yearsAs for AD DS being exposed to the internet, you can in fact harden a DC to such a level that the risk is mitigated, IDS, packet inspection, "only allowed hosts" or port knocking. It isn't for the faint of heart but it is dooable. I've done it in the past along with a load balancer, but that is out of scope for THIS problem. Thank you very much for the reply. :-)
-
EncryptedWatermelon over 4 yearsDo you want it to redraw when you change pages or just scroll? Meaning show only 20 lines the screen at a time or advance by 20 lines each time?
-
Muhammad Umer over 4 yearscontinue adding lines, though it'd be useful if there was a line to visually add reference, even some gaping would be useful, but this is optional
-
-
EncryptedWatermelon over 4 yearsIf you omit
--globalit will be for the one repo
