Connect to AD using SSL

by

in 2019, Microsoft releases a guidance for Enabling LDAP Channel Binding and LDAP Signing. After following the recommended actions, ldapsearch commands may result in the following failure:

ldap_bind: Strong(er) authentication required (8)
        additional info: 00002028: LdapErr: DSID-0C090273, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v3839

The way to solve this is to enable SSL connection as mentioned in the error message. To do that, there are 2 ways to do that:

  • change -h to -H and prepend the hostname with ldaps://
  • add -Z as an option

However, after adding the options, we will get the next error:

ldap_start_tls: Connect error (-11)
        additional info: error:14090086:SSL routines:ssl3_get_server_certificate:certificate verify failed (unable to get local issuer certificate)

To solve this error, we need to obtain the issuer certificate. And to obtain the issuer certificate, we will need to find which is the server that hosts the issuer certificate by using the command, assuming the server is aaa.bbb.ccc:

openssl s_client -connect aaa.bbb.ccc:636 -showcerts

In the result, look for the last certificate in the certificate chain. It would look like some Root CA, depending on your environment. Copy the certificate string below with the “BEGIN CERTIFICATE” and “END CERTIFICATE” line into a file. 

CONNECTED(00000003)
depth=1 DC = ccc, DC = bbb, DC = aaa, CN = aaa-CA
verify error:num=20:unable to get local issuer certificate
---
Certificate chain
 0 s:
   i:/DC=ccc/DC=bbb/DC=aaa/CN=aaa-CA
-----BEGIN CERTIFICATE-----
MIIFLTCCBBWgAwIBAgITXwAF6uQVz+6zSqBNawABAAXq5DANBgkqhkiG9w0BAQsF
ADBiMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZkaWRh
......
-----END CERTIFICATE-----
 1 s:/DC=ccc/DC=bbb/DC=aaa/CN=aaa-CA
   i:/DC=ccc/DC=bbb/CN=AAA Enterprise ROOT CA
-----BEGIN CERTIFICATE-----
MIIGxTCCBa2gAwIBAgITEAAIblqnCh7r7rJUmAAKAAhuWjANBgkqhkiG9w0BAQsF
ADBbMRUwEwYKCZImiZPyLGQBGRYFbG9jYWwxFjAUBgoJkiaJk/IsZAEZFgZkaWRh
......
-----END CERTIFICATE-----
---

Take for example, if the certificate string is saved into ddd.pem, then we will need to run the command:

openssl x509 -in ddd.pem -text

From the output of the openssl, look for the CA issuers, and you will be able to find the http equivalent URI:

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            10:00:08:6e:5a:a7:1a:1e:eb:ee:b3:54:98:00:0a:00:08:6e:5a
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=ccc, DC=bbb, CN=AAA Enterprise ROOT CA
        Validity
            Not Before: Oct 22 09:33:49 2020 GMT
            Not After : Oct 21 09:33:49 2025 GMT
        Subject: DC=ccc, DC=bbb, DC=aaa, CN=aaa-CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:cb:6c:48:04:19:c4:b3:fc:38:5f:da:b0:02:6e:
                    9d:61:46:ab:e8:4f:c3:bc:e2:ff:44:1e:26:b7:83:

                    .....
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            1.3.6.1.4.1.311.21.1:
                ...
            1.3.6.1.4.1.311.21.2:
                ..?.B,.k..}..
?6.4Nm2.
            X509v3 Subject Key Identifier:
                35:45:F7:5E:92:18:F8:0C:2A:FE:D4:A3:FE:D9:90:9B:6A:D2:1A:24
            1.3.6.1.4.1.311.20.2:
                .
.S.u.b.C.A
            X509v3 Key Usage:
                Digital Signature, Certificate Sign, CRL Sign
            X509v3 Basic Constraints: critical
                CA:TRUE
            X509v3 Authority Key Identifier:
                keyid:6B:1E:46:71:37:26:DE:52:22:79:B4:19:4F:01:39:06:AA:84:0C:AF

            X509v3 CRL Distribution Points:

                Full Name:
                  URI:ldap:///xxx
                  URI:http://yyy.crl

            Authority Information Access:
                CA Issuers - URI:ldap:///xxx
                CA Issuers - URI:http://ffff.bbb.ccc/CertEnroll/xxx.crt

Open a browser in Windows, and paste the URL into it, and you will be able to download the certificate. Once the certificate is downloaded, you can open it by double-clicking into it. Go into the details tab, and you will can export the certificate into PEM format, by clicking on “Copy to File”. Click next, and you will be prompted to the file format. Select “Base-64 encoded X.509 (.CER)” and click next. You will be prompted for a file name, and save it. After the file is saved. you will get the root certificate in PEM format. Using the openssl x509 command, you will be able to inspect the root certificate, look for Issuer and Subject, the 2 entries should show the same. This is a characteristic of a root certificate.

Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            45:e8:c3:0b:77:a2:be:67:45:cf:cf:63:d7:61:23:50
    Signature Algorithm: sha256WithRSAEncryption
        Issuer: DC=ccc, DC=bbb, CN=AAA Enterprise ROOT CA
        Validity
            Not Before: Aug 27 07:34:27 2015 GMT
            Not After : Sep 18 09:29:59 2029 GMT
        Subject: DC=ccc, DC=bbb, CN=AAA Enterprise ROOT CA
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (2048 bit)
                Modulus:
                    00:e0:82:48:17:5b:af:4a:78:4e:bd:f6:09:4f:54:
                    d7:5b:e6:6b:e2:34:aa:61:12:97:48:54:4f:75:c8:
                    41:44:2a:58:2d:71:a7:b6:53:2b:0f:cb:ff:ac:ce:
                    ........
                Exponent: 65537 (0x10001)

If the file is stored as rootCA.pem, then set the environment variable LDAPTLS_CACERT before ldapsearch as below:

env LDAPTLS_CACERT=rootCA.pem

You will then be able to connect to the AD with the root CA as the issuer certificate. if there are still problems, then you can enable -d5 in the ldapsearch to debug further. Hope that helps.

Leave a Comment