Recipe 14.2 Encrypting LDAP Traffic with SSL, TLS, or Signing

14.2.1 Problem

You want to encrypt LDAP traffic using SSL, TLS, or signing.

14.2.2 Solution Using a graphical user interface

Most of the GUI-based tools on a Windows Server 2003, Windows XP, or Windows 2000 SP 3 machine automatically sign and encrypt traffic between the server and client. This includes the following tools:

  • Active Directory Domains and Trusts

  • Active Directory Sites and Services

  • Active Directory Schema

  • Active Directory Users and Computers

  • ADSI Edit

  • Group Policy Management Console

  • Object Picker

Also with ADSI Edit, you can specify the port number to use when browsing a partition. View the Settings for a connection by right-clicking on the partition and selecting Settings. Click the Advanced button and enter 636 for LDAP over SSL or 3269 for the global catalog over SSL.

The Windows Server 2003 version of LDP supports encryption using the StartTLS and StopTLS operations, which are available from the Options TLS menu. With the Windows 2000 version, you can use SSL by going to Connection Connect and entering 636 or 3269 for the port. Using a command-line interface

The DS command-line tools support LDAP signing and encryption when run from Windows Server 2003 or Windows XP against a Windows 2000 SP3 or Windows Server 2003 domain controller. This includes dsadd, dsmod, dsrm, dsmove, dsget, and dsquery. Using VBScript
' This code shows how to enable SSL and secure authentication using ADSI


set objLDAP = GetObject("LDAP:")
set objOU = objLDAP.OpenDSObject("LDAP://ou=Sales,dc=rallencorp,dc=com", _
                                 "", _
                                 "MyAdminPassword", _
                                 ADS_SECURE_AUTHENTICATION + ADS_USE_SSL)
WScript.Echo objOU.Get("ou")
' This code shows how to enable SSL and secure authentication using ADO:

' Constants taken from ADS_AUTHENTICATION_ENUM

set objConn = CreateObject("ADODB.Connection")
objConn.Provider = "ADsDSOObject"
objConn.Properties("User ID") = ""
objConn.Properties("Password") = "MyAdminPassword"
objConn.Properties("Encrypt Password") = True
objConn.Open "Active Directory Provider"
set objRS = objConn.Execute("<LDAP://cn=users,dc=rallencorp,dc=com>;" & _
                            "(cn=*);" & "cn;" & "onelevel")
while Not objRS.EOF
    Wscript.Echo objRS.Fields(0).Value

14.2.3 Discussion

The out-of-the-box install of Windows 2000 Active Directory did not provide any default data encryption over the network between clients and domain controllers with most of the standard tools. If you run Network Monitor (netmon.exe) while using tools that perform simple LDAP binds, you'll see LDAP requests, usernames, and passwords going over the network in plain text. Obviously this is not the most secure configuration, so with Windows Server 2003 most of the AD tools sign and encrypt traffic from the clients to the domain controllers by default.

To use the more secure Windows Server 2003 tools against Windows 2000 domain controllers, you need to install SP 3 on the Windows 2000 domain controllers. The new versions of the tools cannot be run directly on Windows 2000, so you must use a Windows XP or Windows Server 2003 machine to host them.

If you want to take advantage of some of the new features of the tools, but have not installed SP 3 yet, you can disable signing on the Windows XP or Windows Server 2003 machine. It is worth stating the obvious that this is insecure and defeats one of the major benefits of the new tools, but you may have no other choice. To disable signing, set the following registry value to 0x03:


14.2.4 See Also

Recipe 14.1 for enabling SSL/TLS, MS KB 325465 (Windows 2000 Domain Controllers Require SP3 or Later When Using Windows Server 2003 Administration Tools), MS KB 304718 (Administering Windows Server-Based Computers Using Windows XP Professional-Based Clients), and MSDN: ADS_AUTHENTICATION_ENUM

    Chapter 3. Domain Controllers, Global Catalogs, and FSMOs
    Chapter 6. Users
    Appendix A. Tool List