Difference between revisions of "Secure Authentication between Zimbra and AD"

(Created page with "=Secure Authentication between Zimbra and AD (self-signed certificate)= {{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} ---- ==Purpose== How to configure authentication w...")
 
(Secure Authentication between Zimbra and AD (self-signed certificate))
 
(21 intermediate revisions by the same user not shown)
Line 5: Line 5:
 
==Purpose==
 
==Purpose==
  
How to configure authentication with Active Directory using SSL.  
+
'''How to configure''' authentication with Active Directory using SSL.  
 
----
 
----
 
=====Prerequisite=====
 
=====Prerequisite=====
To have better overview of the authentication with AD and how to configure it, check the following [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article]
+
Before everything else, make sure that the non-ssl (port 389) AD authentication is working, by following that [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article].
  
 
----
 
----
 
==Resolution==
 
==Resolution==
  
1. Review the following [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article] to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference is that in the "Active Directory Settings" , the '''Use SSL:''' tick box is selected:
+
1. Review the following [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article] to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference from the article, is that in the "Active Directory Settings", we need to  check the '''"Use SSL:"''' tick box:
  
 
[[File:3_ad_ssl.JPG]]
 
[[File:3_ad_ssl.JPG]]
 +
----
 +
2. '''Convert''' the zimbra CA to .der, and copy it to the DC:
 +
cd /opt/zimbra/ssl/zimbra/ca
 +
openssl x509 -in ca.pem -outform der -out ad.der
 +
* Use tools such as [https://winscp.net/download/WinSCP-5.9.2-Setup.exe WinScp] to copy the /opt/zimbra/ssl/zimbra/ca/ad.der file to the DC.
 +
----
 +
3. '''Install''' the Zimbra certificate authority (CA) (ad.der) on the domain controller:
 +
* '''Start->Run''' > Type '''mmc''' > Right click on it > "Run as Administrator". This will open the '''Microsoft Management Console'''.
 +
* Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog.
 +
* From the '''Available snap-ins''' on the left, select "Certificates" and press "Add".
 +
* Select "Computer account" and press "Next".
 +
* Select "Local computer" and press "Finish"
 +
* Click "Ok" to close the "Add/Remove Snap-in" dialog.
 +
<br>
 +
Once the "Certificates snap-in" is open, click on the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority (in my case "ad.der") you copied from Zimbra. Accept the default location: Trusted Root Certification Authorities
  
2. After configuring the Domain Authentication with AD in Zimbra, we need to import the Zimbra CA to the DC:
+
[[File:4_ad_ssl.jpg]]
* Use tools such as [https://winscp.net/download/WinSCP-5.9.2-Setup.exe WinScp] to copy the /opt/zimbra/ssl/zimbra/ca/ca.pem file to the DC.
 
* Copy the ca.pem file and rename it to ca.crt.
 
  
To install the certificate authority (CA) on the domain controller: , open the "Microsoft Management Console":
+
<br>
1. '''Start->Run''' > Type '''mmc'''. This will open the '''Microsoft Management Console'''.
+
<small style="font-size:87%;">Leave the Microsoft Management Console open for step 8</small>
2. Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog.
+
<br>
3. From the '''Available snap-ins''' on the left, select "Certificates" and press "Add".
+
----
4. Select "Computer account" and press "Next".
+
4. '''Create''' a CSR. For this purpose we will use Microsoft's '''certreq''' utility. To generate csr, we need to create a '''*.inf''' file. Below is a sample *.inf file you ca use.  
5. Select "Local computer" and press "Finish"
+
* Open a text editor (Notepad) and paste the following text into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any.
6. Click "Ok" to close the "Add/Remove Snap-in" dialog.
+
* Update the Subject attributes with appropriate values. For example: CN=ad.example.com. The FQDN must be the name of the AD server.  
 +
<br>
  
Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority ("ca.crt") you copied from Zimbra.  
+
;----------------- csr.inf -----------------  
 +
 
 +
[Version]
 +
 +
Signature="$Windows NT$"  
 +
 +
[NewRequest]
 +
 +
Subject = "CN=<DC fqdn>, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country"  
 +
; Replace <DC fqdn> with the FQDN of your DC.
 +
; Replace the remaining Subject attributes.
 +
KeySpec = 1
 +
KeyLength = 2048
 +
HashAlgorithm = SHA256
 +
Exportable = TRUE
 +
MachineKeySet = TRUE
 +
SMIME = False
 +
PrivateKeyArchive = FALSE
 +
UserProtected = FALSE
 +
UseExistingKeySet = FALSE
 +
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"  
 +
ProviderType = 12
 +
RequestType = PKCS10
 +
KeyUsage = 0xa0
 +
 +
[EnhancedKeyUsageExtension]
 +
 +
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication
 +
 +
;-----------------------------------------------
  
 +
----
 +
5. Once you have a '''inf''' file, '''generate''' a Certificate Signing Request (CSR) using certreq. Open CMD and type:
  
 +
certreq -new csr.inf ad.csr 
 +
----
 +
6. '''Create and Sign''' the certificate.
 +
Copy the ad.csr file to the ZCS server (/tmp) and run as root:
  
 +
openssl x509 -req -days 365 -in /tmp/ad.csr -CA /opt/zimbra/ssl/zimbra/ca/ca.pem -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key  -set_serial 01 -out ad.crt
  
 +
That will create a file ad.crt. Copy the file (ad.crt) back to the AD server.
  
 +
(If you are purchasing an SSL certificate, send the CSR to your third-party CA and they will generate and sign the certificate for you).
 +
Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requester as base64-encoded text in an e-mail message.
  
 +
----
 +
7.  '''Accept''' the Certificate.
 +
After the ad.crt file has been copied to the AD server, run the following command to accept it, using the "certreq" utility:
  
 +
certreq -accept ad.crt
  
 +
This will accept the cert in the Windows certificate store and it will be available to those services and products that make use of the Windows certificate store. These products include but are not limited to: IIS, Exchange, Active Directory (LDAPS), Terminal Services and Microsoft Management Console (MMC).
 +
----
 +
8. Verify the certificate is installed in the computer's Personal store.
  
 +
From Step 3, open the "Certificates snap-in", expand the "Certificates" node under "Personal". The certificate should exist there. Make sure In the '''Certificate Properties''' dialog box, the intended purpose displayed is Server Authentication.
  
 +
If the certificate is not listed under '''Certificates''', do the following: Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt".
  
 +
[[File:5_ad_ssl.jpg]]
 +
----
 +
9. '''Restart''' the domain controller.
  
 +
After installing the certificate you must restart the AD server.
  
 +
=Check=
 +
----
 +
1. Go back to that [https://wiki.zimbra.com/wiki/Configure_authentication_with_Active_Directory article], and check the SSL tick box (from step 1). Then proceed forward until you reach the window to test the authentication. The authentication should succeed.
  
 +
2. The next test includes the '''ldp.exe''' utility located on the DC. Click Start > Run > type ldp.exe and open it. At top left, click on "Connection" > "Connect...".
  
 +
Make sure the port is 636, the SSL check box is ticked and you type the FQDN of the AD server.
  
 +
[[File:6_ad_ssl.jpg]]
 +
----
 +
If the '''"Connect"''' is successful, the following output is produced:
  
 +
[[File:1_ad_ssl.JPG]]
 +
----
 +
Then, you can '''Bind''' to AD.
  
 +
[[File:7_ad_ssl.jpg]]
 +
----
 +
You can choose any of the authentication methods. In my case I authenticated as "aduser" user:
  
 +
[[File:8_ad_ssl.jpg]]
 +
----
  
 +
==Possible Issues==
  
 +
* '''Start TLS extended request'''
 +
LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.
 +
* '''Multiple SSL certificates'''
 +
Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
 +
* '''Pre-SP3 SSL certificate caching issue'''
 +
If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate. The SSL provider in Windows 2000 caches the LDAPS certificate and does not detect the change until the domain controller is restarted. This has been corrected in Service Pack 3 for Windows 2000.
  
  
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0| 31/05/2016}}
+
{{Article Footer|Zimbra Collaboration 8.6, 8.5, 8.0| 24/10/2016}}
{{NeedSME|SME1|SME2|COPY EDITOR}}
 

Latest revision as of 21:53, 30 October 2016

Secure Authentication between Zimbra and AD (self-signed certificate)

   KB 23061        Last updated on 2016-10-30  




0.00
(0 votes)

Purpose

How to configure authentication with Active Directory using SSL.


Prerequisite

Before everything else, make sure that the non-ssl (port 389) AD authentication is working, by following that article.


Resolution

1. Review the following article to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference from the article, is that in the "Active Directory Settings", we need to check the "Use SSL:" tick box:

3 ad ssl.JPG


2. Convert the zimbra CA to .der, and copy it to the DC:

cd /opt/zimbra/ssl/zimbra/ca
openssl x509 -in ca.pem -outform der -out ad.der
  • Use tools such as WinScp to copy the /opt/zimbra/ssl/zimbra/ca/ad.der file to the DC.

3. Install the Zimbra certificate authority (CA) (ad.der) on the domain controller:

  • Start->Run > Type mmc > Right click on it > "Run as Administrator". This will open the Microsoft Management Console.
  • Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog.
  • From the Available snap-ins on the left, select "Certificates" and press "Add".
  • Select "Computer account" and press "Next".
  • Select "Local computer" and press "Finish"
  • Click "Ok" to close the "Add/Remove Snap-in" dialog.


Once the "Certificates snap-in" is open, click on the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority (in my case "ad.der") you copied from Zimbra. Accept the default location: Trusted Root Certification Authorities

4 ad ssl.jpg


Leave the Microsoft Management Console open for step 8


4. Create a CSR. For this purpose we will use Microsoft's certreq utility. To generate csr, we need to create a *.inf file. Below is a sample *.inf file you ca use.

  • Open a text editor (Notepad) and paste the following text into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any.
  • Update the Subject attributes with appropriate values. For example: CN=ad.example.com. The FQDN must be the name of the AD server.


;----------------- csr.inf ----------------- 
  
[Version] 

Signature="$Windows NT$" 

[NewRequest]

Subject = "CN=<DC fqdn>, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" 
; Replace <DC fqdn> with the FQDN of your DC.
; Replace the remaining Subject attributes.
KeySpec = 1 
KeyLength = 2048 
HashAlgorithm = SHA256
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 

[EnhancedKeyUsageExtension] 

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------

5. Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq. Open CMD and type:

certreq -new csr.inf ad.csr  

6. Create and Sign the certificate. Copy the ad.csr file to the ZCS server (/tmp) and run as root:

openssl x509 -req -days 365 -in /tmp/ad.csr -CA /opt/zimbra/ssl/zimbra/ca/ca.pem -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key  -set_serial 01 -out ad.crt

That will create a file ad.crt. Copy the file (ad.crt) back to the AD server.

(If you are purchasing an SSL certificate, send the CSR to your third-party CA and they will generate and sign the certificate for you). Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requester as base64-encoded text in an e-mail message.


7. Accept the Certificate. After the ad.crt file has been copied to the AD server, run the following command to accept it, using the "certreq" utility:

certreq -accept ad.crt

This will accept the cert in the Windows certificate store and it will be available to those services and products that make use of the Windows certificate store. These products include but are not limited to: IIS, Exchange, Active Directory (LDAPS), Terminal Services and Microsoft Management Console (MMC).


8. Verify the certificate is installed in the computer's Personal store.

From Step 3, open the "Certificates snap-in", expand the "Certificates" node under "Personal". The certificate should exist there. Make sure In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication.

If the certificate is not listed under Certificates, do the following: Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt".

5 ad ssl.jpg


9. Restart the domain controller.

After installing the certificate you must restart the AD server.

Check


1. Go back to that article, and check the SSL tick box (from step 1). Then proceed forward until you reach the window to test the authentication. The authentication should succeed.

2. The next test includes the ldp.exe utility located on the DC. Click Start > Run > type ldp.exe and open it. At top left, click on "Connection" > "Connect...".

Make sure the port is 636, the SSL check box is ticked and you type the FQDN of the AD server.

6 ad ssl.jpg


If the "Connect" is successful, the following output is produced:

1 ad ssl.JPG


Then, you can Bind to AD.

7 ad ssl.jpg


You can choose any of the authentication methods. In my case I authenticated as "aduser" user:

8 ad ssl.jpg


Possible Issues

  • Start TLS extended request

LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged. Windows 2000 does not support the Start TLS extended-request functionality.

  • Multiple SSL certificates

Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.

  • Pre-SP3 SSL certificate caching issue

If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate. The SSL provider in Windows 2000 caches the LDAPS certificate and does not detect the change until the domain controller is restarted. This has been corrected in Service Pack 3 for Windows 2000.


Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 24/10/2016
Article ID: https://wiki.zimbra.com/index.php?title=Secure_Authentication_between_Zimbra_and_AD Date Modified: 2016-10-30



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Jump to: navigation, search