Friday, August 30, 2013

LDAP and SAN Certificates

Hey everyone - I ran across an interesting problem with certificates and services. The problem was that I needed to see which certificate is being presented to the client on a non-HTTPS service; specifically - binding to LDAP over SSL (LDAPS). So the question is, how can you be sure what certificate is being presented?

Windows, so far as I've been able to find, does not offer any native help in this regard. Luckily there is a solution, but first let me give you a slightly longer description of the scenario so you can appreciate what we're talking about a little bit better.

An environment exists with some number of Domain Controllers, let's say ten. Within this environment, third party applications (think Java apps, Linux systems, etc) need to bind to LDAP to enumerate groups or validate authentication or whatever. These systems, however, can only have a single (or at best, two) LDAP hosts configured. What do you do? Pick two DCs? Round-Robin DNS?

Well, in my case, a load-balancer had been configured to direct LDAP(S) traffic to the various domain controllers and a DNS record configured for that load balancer.

This works great except that when using a load balancer, a generic name (like LDAPS.domain.com) must be used since it is unknown which server will be connected to. This is a problem for SSL.

If I connect to LDAPS.domain.com and am presented with a certificate whose subject reads "dc01.domain.com" then my SSL bind will fail. The solution to that is to create certificates with Subject Alternate Names[1] such that the "LDAPS.domain.com" name exists in addition to each of the certificates used by each of the Domain Controllers.

Starting with Server 2008, you can bind certificates to specific services (though this was NOT true with Server 2003). So, after binding the SAN cert to AD DS, we want to verify which certificate we're seeing when binding to LDAPS. If you want to actually see the certificate details - here are the steps to view the presented cert:
  1. Install OpenSSL[2]
  2. Open a PowerShell session or Cmd prompt
  3. From the OpenSSL\bin directory, issue the following command:
  4. openssl s_client -connect server:port | openssl x509 -noout -text
(you may have to hit the space bar or enter key for the data to be displayed)

In my case, I wanted to verify that I was seeing the certificate with all the Subject Alternate Names. This proved to be exactly what I needed to see the certificate presented to a binding client. Sadly - I cannot give you screen shots since the data is private and I don't have a lab with all of the certificate infrastructure built. Feel free to comment though, if you need a hand with the commands.

G. Samuel Hays

No comments:

Post a Comment