Secure Authentication between Zimbra and AD: Difference between revisions
| Line 8: | Line 8: | ||
---- | ---- | ||
=====Prerequisite===== | =====Prerequisite===== | ||
Before everything else, make sure that the non-ssl AD authentication is working, by following that [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article]. | Before everything else, make sure that the non-ssl (port 389) AD authentication is working, by following that [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article]. | ||
---- | ---- | ||
==Resolution== | ==Resolution== | ||
1. Review the following [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article] to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference is that in the "Active Directory Settings" , the '''Use SSL:''' tick box is selected: | 1. Review the following [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article] to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference is that in the "Active Directory Settings" , the '''"Use SSL:"''' tick box is selected: | ||
[[File:3_ad_ssl.JPG]] | [[File:3_ad_ssl.JPG]] | ||
2. | 2. Convert the zimbra CA to .der, and copy it to the DC: | ||
* Use tools such as [https://winscp.net/download/WinSCP-5.9.2-Setup.exe WinScp] to copy the /opt/zimbra/ssl/zimbra/ca/ | cd /opt/zimbra/ssl/zimbra/ca | ||
openssl x509 -in ca.pem -outform der -out ad.der | |||
* Use tools such as [https://winscp.net/download/WinSCP-5.9.2-Setup.exe WinScp] to copy the /opt/zimbra/ssl/zimbra/ca/ad.der file to the DC. | |||
3. Install the Zimbra certificate authority (CA) on the domain controller: | 3. Install the Zimbra certificate authority (CA) on the domain controller: | ||
* '''Start->Run''' > Type '''mmc'''. This will open the '''Microsoft Management Console'''. | * '''Start->Run''' > Type '''mmc''' > Right click on it > "Run as Administrator". This will open the '''Microsoft Management Console'''. | ||
* Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog. | * Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog. | ||
* From the '''Available snap-ins''' on the left, select "Certificates" and press "Add". | * From the '''Available snap-ins''' on the left, select "Certificates" and press "Add". | ||
| Line 29: | Line 30: | ||
* Click "Ok" to close the "Add/Remove Snap-in" dialog. | * Click "Ok" to close the "Add/Remove Snap-in" dialog. | ||
Once the "Certificates snap-in" is open, | Once the "Certificates snap-in" is open, click on the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority (in my case "ad.der") you copied from Zimbra. Accept the default location: Trusted Root Certification Authorities | ||
[[File:4_ad_ssl.jpg]] | [[File:4_ad_ssl.jpg]] | ||
4. Create a csr. For this purpose we will use Microsoft's '''certreq''' utility. To generate csr, we need to create a *.inf file. Below is a sample *.inf file you ca use. | |||
* Open a text editor and paste the following text | * Open a text editor (Notepad) and paste the following text into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any: | ||
<br> | <br> | ||
;----------------- | ;----------------- csr.inf ----------------- | ||
[Version] | [Version] | ||
| Line 66: | Line 67: | ||
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication | OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication | ||
<br> | <br> | ||
* Update the Subject attributes with appropriate values. For example: CN= | * Update the Subject attributes with appropriate values. For example: CN=ad.example.com. The FQDN must be the name of the AD server. | ||
4. Once you have a '''inf''' file, generate a Certificate Signing Request (CSR) using certreq. | 4. Once you have a '''inf''' file, generate a Certificate Signing Request (CSR) using certreq. Open CMD and type: | ||
certreq -new ad.inf ad.csr | certreq -new ad.inf ad.csr | ||
5. Sign the certificate. | 5. Sign the certificate. | ||
Copy the csr to the ZCS server and run as root: | |||
openssl x509 -req -days 365 -in ad.csr -CA ca. | openssl x509 -req -days 365 -in ad.csr -CA /opt/zimbra/ssl/zimbra/ca/ca.pem -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key -set_serial 01 -out ad.crt | ||
That will create a file ad.crt. Copy the file back to the AD server. | |||
6. Accept the Certificate | 6. Accept the Certificate | ||
After | After the ad.crt file has been copied to the AD server, run the following command to accept it, using the "certreq" utility: | ||
certreq -accept ad.crt | certreq -accept ad.crt | ||
This will | This will accept the cert in the Windows certificate store and it will be available to those services and products that make use of the Windows certificate store. These products include but are not limited to: IIS, Exchange, Active Directory (LDAPS), Terminal Services and Microsoft Management Console (MMC). | ||
7. Install the certificate. | 7. Install the certificate. | ||
From | From Step 3, open the "Certificates snap-in", expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt". | ||
[[File:5_ad_ssl.jpg]] | [[File:5_ad_ssl.jpg]] | ||
Revision as of 00:55, 24 October 2016
Secure Authentication between Zimbra and AD (self-signed certificate)
- This article is a Work in Progress, and may be unfinished or missing sections.
Purpose
How to configure authentication with Active Directory using SSL.
Prerequisite
Before everything else, make sure that the non-ssl (port 389) AD authentication is working, by following that article.
Resolution
1. Review the following article to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference is that in the "Active Directory Settings" , the "Use SSL:" tick box is selected:
2. Convert the zimbra CA to .der, and copy it to the DC:
cd /opt/zimbra/ssl/zimbra/ca openssl x509 -in ca.pem -outform der -out ad.der
- Use tools such as WinScp to copy the /opt/zimbra/ssl/zimbra/ca/ad.der file to the DC.
3. Install the Zimbra certificate authority (CA) on the domain controller:
- Start->Run > Type mmc > Right click on it > "Run as Administrator". This will open the Microsoft Management Console.
- Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog.
- From the Available snap-ins on the left, select "Certificates" and press "Add".
- Select "Computer account" and press "Next".
- Select "Local computer" and press "Finish"
- Click "Ok" to close the "Add/Remove Snap-in" dialog.
Once the "Certificates snap-in" is open, click on the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority (in my case "ad.der") you copied from Zimbra. Accept the default location: Trusted Root Certification Authorities
4. Create a csr. For this purpose we will use Microsoft's certreq utility. To generate csr, we need to create a *.inf file. Below is a sample *.inf file you ca use.
- Open a text editor (Notepad) and paste the following text into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any:
;----------------- csr.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=mail.example.com, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" ; Replace mail.example.com with the FQDN of your AD server's FQDN. ; Replace the remaining Subject attributes. KeySpec = 1 KeyLength = 2048 HashAlgorithm = SHA256 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
- Update the Subject attributes with appropriate values. For example: CN=ad.example.com. The FQDN must be the name of the AD server.
4. Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq. Open CMD and type:
certreq -new ad.inf ad.csr
5. Sign the certificate. Copy the csr to the ZCS server and run as root:
openssl x509 -req -days 365 -in ad.csr -CA /opt/zimbra/ssl/zimbra/ca/ca.pem -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key -set_serial 01 -out ad.crt
That will create a file ad.crt. Copy the file back to the AD server.
6. Accept the Certificate After the ad.crt file has been copied to the AD server, run the following command to accept it, using the "certreq" utility:
certreq -accept ad.crt
This will accept the cert in the Windows certificate store and it will be available to those services and products that make use of the Windows certificate store. These products include but are not limited to: IIS, Exchange, Active Directory (LDAPS), Terminal Services and Microsoft Management Console (MMC).
7. Install the certificate.
From Step 3, open the "Certificates snap-in", expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt".
8. Restart AD server
Check
To make sure the SSL is working, we can use ldp.exe. Click Start> Run > type ldp.exe and open it. At top left, click on "Connection" > "Connect...".
