Secure Authentication between Zimbra and AD

The printable version is no longer supported and may have rendering errors. Please update your browser bookmarks and please use the default browser print function instead.

Secure Authentication between Zimbra and AD (self-signed certificate)

   KB 23061        Last updated on 2016-10-18  




0.00
(0 votes)

Purpose

How to configure authentication with Active Directory using SSL.


Prerequisite

Before everything else, make sure that the non-ssl AD authentication is working, by following that article.


Resolution

1. Review the following article to familiarize yourself with the authentication with AD from Zimbra side in AdminUI. The only difference is that in the "Active Directory Settings" , the Use SSL: tick box is selected:

3 ad ssl.JPG

2. Copy the Zimbra CA file to the DC:

  • Use tools such as WinScp to copy the /opt/zimbra/ssl/zimbra/ca/ca.pem file to the DC.
  • Copy the ca.pem file in a directory and rename it to ca.crt.

3. Install the Zimbra certificate authority (CA) on the domain controller:

  • Start->Run > Type mmc. This will open the Microsoft Management Console.
  • Click "File" > "Add/Remove Snap-In..." to open the "Add Standalone Snap-in" dialog.
  • From the Available snap-ins on the left, select "Certificates" and press "Add".
  • Select "Computer account" and press "Next".
  • Select "Local computer" and press "Finish"
  • Click "Ok" to close the "Add/Remove Snap-in" dialog.

Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority (in my case "ca.crt") you copied from Zimbra. Accept the default location: Trusted Root Certification Authorities

4 ad ssl.jpg

3. The next step is to create a csr. For this purpose we will use Microsoft's certreq utility. To generate csr, we need to create a *.inf file. Below is a sample *.inf file you ca use. Make sure that the "Subject" line contains the FQDN of the AD server.

  • Open a text editor and paste the following text, including the beginning and ending tags, into the file. Make sure no CR/LF character is added to the "Subject =" line when you copy and paste the text. Remove if any:


;----------------- request.inf -----------------
  
[Version] 

Signature="$Windows NT$" 

[NewRequest]

Subject = "CN=mail.example.com, OU=Organizational_Unit, O=Organization, L=City, S=State, C=Country" 
; Replace mail.example.com with the FQDN of your AD server's FQDN.
; Replace the remaining Subject attributes.
KeySpec = 1 
KeyLength = 2048 
HashAlgorithm = SHA256
Exportable = TRUE 
MachineKeySet = TRUE 
SMIME = False 
PrivateKeyArchive = FALSE 
UserProtected = FALSE 
UseExistingKeySet = FALSE 
ProviderName = "Microsoft RSA SChannel Cryptographic Provider" 
ProviderType = 12
RequestType = PKCS10 
KeyUsage = 0xa0 

[EnhancedKeyUsageExtension] 

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication 

;-----------------------------------------------


  • Update the Subject attributes with appropriate values. For example: CN=mail.example.com

4. Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq.

certreq -new ad.inf ad.csr  

5. Sign the certificate.

openssl x509 -req -days 365 -in ad.csr -CA ca.crt -CAkey /opt/zimbra/ssl/zimbra/ca/ca.key  -set_serial 01 -out ad.crt


6. Accept the Certificate After you get your signed certificate, you will need to "Accept" it using the certreq utility:

certreq -accept ad.crt

7. Install the certificate.

From n Step 2, open the "Certificates snap-in", expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "ad.crt".

5 ad ssl.jpg


8. Restart AD server


Check

To make sure the SSL is working, we can use ldp.exe. Click Start> Run > type ldp.exe and open it. At top left, click on "Connection" > "Connect...".











Verified Against: Zimbra Collaboration 8.6, 8.5, 8.0 Date Created: 31/05/2016
Article ID: https://wiki.zimbra.com/index.php?title=Secure_Authentication_between_Zimbra_and_AD Date Modified: 2016-10-18



Try Zimbra

Try Zimbra Collaboration with a 60-day free trial.
Get it now »

Want to get involved?

You can contribute in the Community, Wiki, Code, or development of Zimlets.
Find out more. »

Looking for a Video?

Visit our YouTube channel to get the latest webinars, technology news, product overviews, and so much more.
Go to the YouTube channel »


Wiki/KB reviewed by SME1 SME2 COPY EDITOR Last edit by Teodor Vizirov
Jump to: navigation, search