Secure Authentication between Zimbra and AD: Difference between revisions
(Created page with "=Secure Authentication between Zimbra and AD (self-signed certificate)= {{KB|{{ZC}}|{{ZCS 8.6}}|{{ZCS 8.5}}|{{ZCS 8.0}}|}} ---- ==Purpose== How to configure authentication w...") |
|||
Line 22: | Line 22: | ||
To install the certificate authority (CA) on the domain controller: , open the "Microsoft Management Console": | To install the certificate authority (CA) on the domain controller: , open the "Microsoft Management Console": | ||
* '''Start->Run''' > Type '''mmc'''. This will open the '''Microsoft Management Console'''. | |||
* Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog. | |||
* From the '''Available snap-ins''' on the left, select "Certificates" and press "Add". | |||
* Select "Computer account" and press "Next". | |||
* Select "Local computer" and press "Finish" | |||
* Click "Ok" to close the "Add/Remove Snap-in" dialog. | |||
Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority ("ca.crt") you copied from Zimbra. | Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority ("ca.crt") you copied from Zimbra. | ||
[[File:4_ad_ssl.jpg]] | |||
3. The next step is to create a csr. For this purpose we will use Microsoft's '''certreq''' utility. To generate csr, we need to create a *.inf file. Below is a sample *.inf file you ca use. Make sure that the "Subject" line contains the FQDN of the AD server. | |||
* Open a text editor and paste the following text, including the beginning and ending tags, into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any: | |||
<br> | |||
;----------------- request.inf ----------------- | |||
[Version] | |||
Signature="$Windows NT$" | |||
[NewRequest] | |||
Subject = "CN=mail.example.com, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" | |||
; Replace mail.example.com with the FQDN of your AD server's FQDN. | |||
; Replace the remaining Subject attributes. | |||
KeySpec = 1 | |||
KeyLength = 2048 | |||
HashAlgorithm = SHA256 | |||
Exportable = TRUE | |||
MachineKeySet = TRUE | |||
SMIME = False | |||
PrivateKeyArchive = FALSE | |||
UserProtected = FALSE | |||
UseExistingKeySet = FALSE | |||
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" | |||
ProviderType = 12 | |||
RequestType = PKCS10 | |||
KeyUsage = 0xa0 | |||
[EnhancedKeyUsageExtension] | |||
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication | |||
;----------------------------------------------- | |||
<br> | |||
* Update the Subject attributes with appropriate values. For example: CN=mail.example.com | |||
4. Once you have a '''inf''' file, generate a Certificate Signing Request (CSR) using certreq. | |||
certreq -new ad.inf ad.csr | |||
5. Sign the certificate. | |||
openssl x509 -req -days 365 -in ad.csr -CA ca.crt -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key -set_serial 01 -out ad.crt | |||
6. Install the certificate. | |||
From n Step 2, open the "Certificates snap-in", expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt". | |||
[[File:5_ad_ssl.jpg]] | |||
Revision as of 13:34, 18 October 2016
Secure Authentication between Zimbra and AD (self-signed certificate)
Purpose
How to configure authentication with Active Directory using SSL.
Prerequisite
To have better overview of the authentication with AD and how to configure it, check the following article
Resolution
1. Review the following article to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference is that in the "Active Directory Settings" , the Use SSL: tick box is selected:
2. After configuring the Domain Authentication with AD in Zimbra, we need to import the Zimbra CA to the DC:
- Use tools such as WinScp to copy the /opt/zimbra/ssl/zimbra/ca/ca.pem file to the DC.
- Copy the ca.pem file and rename it to ca.crt.
To install the certificate authority (CA) on the domain controller: , open the "Microsoft Management Console":
- Start->Run > Type mmc. This will open the Microsoft Management Console.
- Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog.
- From the Available snap-ins on the left, select "Certificates" and press "Add".
- Select "Computer account" and press "Next".
- Select "Local computer" and press "Finish"
- Click "Ok" to close the "Add/Remove Snap-in" dialog.
Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority ("ca.crt") you copied from Zimbra.
3. The next step is to create a csr. For this purpose we will use Microsoft's certreq utility. To generate csr, we need to create a *.inf file. Below is a sample *.inf file you ca use. Make sure that the "Subject" line contains the FQDN of the AD server.
- Open a text editor and paste the following text, including the beginning and ending tags, into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=mail.example.com, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" ; Replace mail.example.com with the FQDN of your AD server's FQDN. ; Replace the remaining Subject attributes. KeySpec = 1 KeyLength = 2048 HashAlgorithm = SHA256 Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication ;-----------------------------------------------
- Update the Subject attributes with appropriate values. For example: CN=mail.example.com
4. Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq.
certreq -new ad.inf ad.csr
5. Sign the certificate.
openssl x509 -req -days 365 -in ad.csr -CA ca.crt -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key -set_serial 01 -out ad.crt
6. Install the certificate.
From n Step 2, open the "Certificates snap-in", expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt".