Hi, we have an off-site application that will be authenticating via secure LDAP to our AD domain controllers. I really have no clue how to set this up. I did read through KB321051, but that raises more questions than answers. Some of my question are: 1) We already have other apps that use LDAP (unsecure). Will these break when I install the cert? 2) Does the cert need to be installed on all domain controllers, or just one? The configuration of the external app only allows you to point it at one IP address. 3) Our domain is mycompany.int. It turns out that the .int domain is protected. Usually it's not a problem because we never reference this domain from the Internet. But I'm wondering if it will be a problem with the cert, as the DC's FQDNs are like dc1.mycompany.int. We do of course have a public domain too - mycompany.com. Can I just make public DNS records (dc1.mycompany.com) and use those for generating the CSRs? 4) Finally, I'm just wondering what some of the hidden gotchas might be. Will anything else in AD break? Exchange? Thanks!

Hi, > 1) We already have other apps that use LDAP (unsecure). Will these break when I install the cert? No. after you enable LDAP over SSL, your DC still support normal LDAP connection request. > 2) Does the cert need to be installed on all domain controllers, or just one? The configuration of the > external app only allows you to point it at one IP address. You can enable LDAP over SSL only on one of your DCs. But why not enable LDAP over SSL on all your DCs, that encrypt your DCs LDAP communications. > 3) Our domain is mycompany.int. It turns out that the .int domain is protected. Usually it's not a problem > because we never reference this domain from the Internet. But I'm wondering if it will be a problem with > the cert, as the DC's FQDNs are like dc1.mycompany.int. We do of course have a public domain too - > mycompany.com. Can I just make public DNS records (dc1.mycompany.com) and use those for generating > the CSRs? This is not a question, since you can request a certificate with a custom Subject Alternative Name (SAN). The use of SANs in server authentication certificates enables a single certificate to be bound to multiple names on a single computer. > 4) Finally, I'm just wondering what some of the hidden gotchas might be. Will anything else in AD break? > Exchange? No, you just enable LDAP over SSL (port 636), LDAP service still listen port 389 and support normal LDAP connection request. For more information please refer to following MS articles: LDAP over SSL (LDAPS) Certificate http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx How to enable LDAP over SSL with a third-party certification authority http://support.microsoft.com/kb/321051Lawrence TechNet Community Support

Hi, > 1) We already have other apps that use LDAP (unsecure). Will these break when I install the cert? No. after you enable LDAP over SSL, your DC still support normal LDAP connection request. > 2) Does the cert need to be installed on all domain controllers, or just one? The configuration of the > external app only allows you to point it at one IP address. You can enable LDAP over SSL only on one of your DCs. But why not enable LDAP over SSL on all your DCs, that encrypt your DCs LDAP communications. > 3) Our domain is mycompany.int. It turns out that the .int domain is protected. Usually it's not a problem > because we never reference this domain from the Internet. But I'm wondering if it will be a problem with > the cert, as the DC's FQDNs are like dc1.mycompany.int. We do of course have a public domain too - > mycompany.com. Can I just make public DNS records (dc1.mycompany.com) and use those for generating > the CSRs? This is not a question, since you can request a certificate with a custom Subject Alternative Name (SAN). The use of SANs in server authentication certificates enables a single certificate to be bound to multiple names on a single computer. > 4) Finally, I'm just wondering what some of the hidden gotchas might be. Will anything else in AD break? > Exchange? No, you just enable LDAP over SSL (port 636), LDAP service still listen port 389 and support normal LDAP connection request. For more information please refer to following MS articles: LDAP over SSL (LDAPS) Certificate http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx How to enable LDAP over SSL with a third-party certification authority http://support.microsoft.com/kb/321051Lawrence TechNet Community Support