Symantec IGA

Team,

To stay proficient with the broad security space and integration with the client/server world + cloud apps.; it is very valuable to setup your own lab environments, not only of CA solutions but likely userstores/applications that would be managed for customer use-cases.   A very common use-case, is management of one or many ADS domains, with or without an Exchange Domain.

If you don't have access to a MSDN license or a company approved server key, you can leverage MS 180-day license for MS Window Servers or even the unlimited licenses for Hyper-V or Release Candidates (later versions).

Example:  MS Windows 2012 R2

Try Windows Server 2012 R2 | TechNet Evaluation Center

You may use Vmware Workstation / ESXi  or  MS VHD Server to deploy a clean image of MS Windows OS.

1) After installing the OS, you may wish to declare this OS to be your base OS; and update it accordingly with MS Windows Updates & MS Defender (or other A/V solution).

-     With this base image, I like to install a 2nd local Admin Account &  a few adjustments

net user  idmadmin Password01 /add

net localgroup administrators idmadmin /add

..\windows_2003_resource_kit\ntrights.exe -u idmadmin +r SeServiceLogonRight

-    Add a 2nd NIC to the OS Image (Create a Vmware network host-only network w/o dhcp & address 10.10.10.x)

-    Download and deploy MS Sysinternals Suite, especailly both ProcExplore (replace TaskManager) & BgInfo (Stamp the background image with hostname/ip/boottime) & ProcMonitor (to debug 3rd party installs)

Sysinternals Suite

-    Deploy .NetFramework 3.51  (use by both embedded CA components as a pre-req and for MS-SQL)

DISM /Online /Enable-Feature /FeatureName:NetFx3  /All

-    Deploy a 3rd party openssl binary for MS Windows x64  [Goal:  Speed up process to build certs for lab]

          https://slproweb.com/products/Win32OpenSSL.html 

2) Making a clone of the MS Windows server requires an addtional step of MS SysPrep tool

     - This tool will reinitialize the MS Windows Image, to allow it to be joined to an AD domain with no impacts.

    -  If you don't plan on making more than one image, you can skip this step; and only use the base OS image you deployed.

-  Example:     C:\Windows\System32\Sysprep\Sysprep.exe  /generalize  /quiet   /reboot

3)  After your MS Windows image is rebooted, you will answer a few localization questions (language/date/etc.), then be presented with the logon prompt.   Upon Logon, rename the hostname of the image

-  Example:

::Rename Hostname Options

set NEWHOSTNAME=dc001

::wmic method

wmic computersystem where name="%COMPUTERNAME%" call rename name="%NEWHOSTNAME%"

::Requires a reboot action

shutdown /r /t 30

::netdom alternative method

::netdom renamecomputer  "%COMPUTERNAME%"  /NetName:"%NEWHOSTNAME%"  /Force /Reboot

4) After the reboot, update the IP address from DHCP to STATIC and to 10.10.10.x address

- Example:

::Update from DHCP IP to Static IP Address Options

set NIC_ADP_NAME=Ethernet1

:: set NIC_ADP_NAME=Local Area Connection

set IP_ADDR=10.10.10.3

set IP_MASK=255.255.255.0

set IP_GW=10.10.10.2

set DNS=10.10.10.3

::netsh method #1

:: Display Config

netsh interface ip show config

:: Save Before State

netsh -c interface dump > c:\%COMPUTERNAME%_NIC_before_state.txt

:: Update IP Address

netsh interface ip set address name=%NIC_ADP_NAME% static %IP_ADDR%  %IP_MASK%  %IP_GW%  1

::Netsh method to update DNS to static addresses

netsh interface ip set dns %NIC_ADP_NAME% static %DNS%

netsh interface ip set wins %NIC_ADP_NAME% static %DNS%

5) No reboot is required for the ip refresh; after the above step, lets ensure that MS Windows Update is working correctly.

- Example:

::Scan & find latest patches

wuauclt.exe  /DectectNow   /ReportNow

::Force update after scan

Wuauclt.exe  /UpdateNow  

::Show Update GUI

Wuauclt.exe    /ShowWU

6)  Create a new MS Active Directory Domain on the MS Windows OS.   Update the DomainMode/ForestMode if desired; and replace the DomainName & DomainNetbiosNames for the correct domain name.

::Installing AD DS by Using Windows PowerShell

::Beginning with Windows Server 2012 , you can install AD DS using Windows PowerShell.

Install-ADDSForest `-CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012" ` -DomainName "exchange.lab" ` -DomainNetbiosName "EXCHANGE" ` -ForestMode "Win2012" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true

7) Reboot, then login with Administrator account; validate the server now reports it is now a DC and is a member of a domain.   Use the new MS ADS tools, of ADUC (Active Directory Users and Computers) and view the DC OU.

8) Check if TCP 636 is listening with a certificate.   Use MS tool ldp.exe to connect via SSL to port 636.

Alternatively, use:   openssl s_client -connect hostname:636 -showcerts

9a) Create a CA root certificate and a signed server certificate using openssl and MS tool certreq.exe.  Goal:  Avoid using the "blackbox" wizard use of MS Certificate Authority and/or Enterprise Certificate, to allow better understanding of how certificates may be created and used for AD Domain Controller.

Active Directory requires a SCHANNEL type SSL certificate as an option to function correctly.   To ensure this format is used, recommend having the following "request.inf" file ready, update the Subject line to the correct FQDN (dc001.exchange.lab):

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc001.exchange.lab"

;

KeySpec = 1

KeyLength = 1024

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

9b) Steps to create a CA root certificate and server certificate for AD Domain Controller.  Note, this script has variables to be updated; and it will auto-clean itself up when run every time, as long as the "names" match.

@echo on

:: Create a CA root Certificate

:: Set an initial openssl configuration file

set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

set FQDN=dc001.exchange.lab

set PASSWORD=P$ssword01

:: Make a output folder

mkdir c:\temp\openssl

:: Clean up Certs from prior executions / stores

certutil -delstore  "Root" ###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###

certutil -delstore "My" %FQDN%

:: Update inf file with the latest FQDN name

copy ADS_server_cert_request.inf   c:\temp\openssl\ADS_server_cert_request.inf

:: Generate a private CA key

cd /d C:\OpenSSL-Win64\bin

openssl genrsa -des3 -passout pass:%PASSWORD%  -out  c:\temp\openssl\01.rootCA.key 1024

openssl rsa -in c:\temp\openssl\01.rootCA.key -passin pass:%PASSWORD%  -out c:\temp\openssl\02.rootCA_nopassword.key 

:: Create a self-signed x509 cert

openssl req -out c:\temp\openssl\03.rootCA.crt  -key c:\temp\openssl\02.rootCA_nopassword.key -new -x509 -days 7300 -subj "/CN=###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###"

:: Execute on the Active Directory Server (DC) only

certreq -f -new c:\temp\openssl\ADS_server_cert_request.inf  c:\temp\openssl\%FQDN%.csr

:: Sign the CSR with the private CA key

openssl x509 -req -days 3650 -in c:\temp\openssl\%FQDN%.csr  -CA c:\temp\openssl\03.rootCA.crt   -CAkey c:\temp\openssl\02.rootCA_nopassword.key  -set_serial 01 -out c:\temp\openssl\%FQDN%.crt

:: On both the AD & IMPS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates)

::   Use either the MS GUI tool of  certlm.msc  or use the MS CLI process with certutil

certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt

:: Only on the AD server, accept the signed cert.  This MUST PASS to SUCCEED

:: Cert will then be auto-copied to (Local Computer \ Personal \ Certificates )

certreq -accept  c:\temp\openssl\%FQDN%.crt

pause

9c)   Call out this step for clarity.     On all of the IMPS & CCS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates).    Use either the MS GUI tool of  certlm.msc  or use the MS CLI process with certutil

certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt

Note:   This is the public CA root cert that would be copied to other 3rd party LDAP client tools as well.

Note2:  Active Directory keystore has TWO (2) sections:   Current User and Local Computer.   Ensure that the public CA root certificates is published to Local Computer. 

10)  Done.  Validate TCP 636 is available with a SSL Cert; may use MS LDP.  Note:  DC may not need to be rebooted/bounced.   ldp.exe

11) Extra:   Create 120,000 accounts on your new AD domain with a for loop.  With example rates for commands:  dsadd user, dsmod user, net user:

:: Batch Version for 120K accounts, e.g. add START in front, if wish to call from this file.

:: Rate: 2 add/sec  - suggest parallel adds, e.g.  40K / 2 add/sec = 20K seconds /60  = 334 min = 5.6 hours

::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid aatestuser%%i -upn aatestuser%%i@exchange.dom -fn AATest -ln User%%i -display "AATest User%%i" -pwd P@ssw0rd -disabled no

::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid bbtestuser%%i -upn bbtestuser%%i@exchange.dom -fn AATest -ln User%%i -display "BBTest User%%i" -pwd P@ssw0rd -disabled no

::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid testuser%%i -upn testuser%%i@exchange.dom -fn Test -ln User%%i -display "Test User%%i" -pwd P@ssw0rd -disabled no

:: Rate: 30 mod/sec - suggest parallel mods, e.g. 40K / 30 mod/sec = 1334 seconds / 60 = 22 min

::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

:: Rate: 60 mod/sec - suggest parallel mods, e.g. 40K / 60 mod/sec = 667 seconds / 60 = 11 min

START FOR /L %%i in (1,1,40000) DO net user aatestuser%%i /comment:"NET USER"

START FOR /L %%i in (1,1,40000) DO net user bbtestuser%%i /comment:"NET USER"

START FOR /L %%i in (1,1,40000) DO net user testuser%%i /comment:"NET USER"

12)  Test this new domain with the following tools:

IMPS - Active Directory Endpoint (define and Explore/Correlate)

IMPS\bin\adsldapdiag.exe  (CLI tool)

IMPS\bin\ldapsearch.exe  (CLI tool)

openssl s_client -connect DC_FQDN:636  -showcerts   (CLI tool)

Jxplorer  (install/update)

Apache Directory Studio  (no install/update + csv export)

SoftTerra LDAPBrowser (install/read-only tool + csv export)

OpenLDAP ldapsearch (CLI tool)

ldp.exe  (MS ADS GUI tool)

ADUC (MS ADS GUI tool)

Let me know if this was valuable.

Cheers,

A.

Edit 8/16/2016  -  Added step 9c for clarity.  Where to copy the pubic CA root cert to, local computer (aka local machine via certlm.msc)

Edit:  9/28/2016  add in script to pull from current production active directory domain, to either assist with building a lab AD domain or for role engineering exercise.

Great article.

Have a question related to enable SSL for AD Endpoint communication.
I am setting up a environment for IdM 12.6.7 with all components (IdM Server, AdminTools, PS & Directories) in one VM.
Endpoint -> Security tab -> checkbox for "Use LDAP - SSL Encryption (Recommended)" is not enabled. Getting error when enabling.

When provisioning, the user gets created. But the password sent is empty due to insecure communication.

Console - enabled SSL Error
Failed to execute ModifyActiveDirectoryEndpoint. ERROR MESSAGE: Active Directory Endpoint 'Forward-ADS' modification failed: Connector Server Modify failed: code 13 (CONFIDENTIALITY_REQUIRED): failed to modify entry: eTADSDirectoryName=Forward-ADS,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@WIN2012: JNDI: Failed to activate connector on proxy connector server: [LDAP: error code 13 - Confidentiality Required] (ldaps://win2012.psdom.com:20411),

VST
Cause: Active Dir. Account 'Andre Confetti' on 'Forward-ADS' creation failed: Connector Server Add failed: code 80 (OTHER-LdapNamingException): failed to add entry eTADSAccountName=Andre Confetti,eTADSOrgUnitName=Support,eTADSOrgUnitName=Corporate,eTADSDirectoryName=Forward-ADS,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@WIN2012: JNDI: [LDAP: error code 70 - Added object: CN=Andre Confetti,OU=Support,OU=Corporate,DC=psdom,DC=com Account control settings could not be set Reason: Unwilling To Perform The account was created but certain control settings were not set. A possible reason could be that the managed directory's native security policy requires accounts to have passwords. Because you are managing the directory using a non-secure connection, eTrust Admin creates accounts without passwords.]: failed to add eTADSAccountName=Andre Confetti,eTADSOrgUnitName=Support,eTADSOrgUnitName=Corporate,eTADSDirectoryName=Forward-ADS,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://win2012.psdom.com:20411) Action: Assign user "Andre Confetti (conan01)" provisioning role "Help Desk"

Hi Sanjay,

Microsoft enforces TLS over TCP 636; which implies that a public CA root key and a signed server key is required on the domain controller.   This port is required to manage the AD user profile with it's password.

For the IM Provisioning Server (IMPS), it will attempt to communicate, and identify the singed server key, but if the IMPS server does not "know" the public CA cert, it will reject the communication with the above error message you have identified.

The next step is to:

1) Identify if the ADS Domain Controller is using a certificate.    OOTB ADS DC will NOT have a server cert/key (unless the company has deployed an MS Enterprise Domain Certificate).

Use openssl (from IMPS\bin folder) to test if a certificate exists.    (see PDF attachment in the original post)

2) if certs exist, we need to pull a copy of the public CA root cert; and store it in the local MS Windows Server keystore (where IMPS/CCS services are installed).

a)   May request a copy from an AD Admin. 

-   Possible challenge:  If there are OLDER public CA root keys that have not been cleaned up, it can be difficult to isolate the correct one.

- Reminder:  you do NOT need the public server cert; only the public CA root key that signed the server cert.

b)  Otherwise, use a 3rd party LDAP Admin tool that will pull the pull the public CA root key for you.   Then save it.

The best 3rd party tools, that will assist are:

i)  SoftTerra LDAPBrowser 4.5   (Read-Only LDAP tool / No cost / Require install on desktop)

    Connect to AD DC on port TCP 636; when asked, save this public CA root key to the SoftTerra keystore.

    Then export this public CA root key to a file, then import this file to the local MS Windows keystore (local computer; not personal)

ii) Apache Dir Studio (Update Ldap tool / No cost / No install)

  Connect to AD DC on port TCP 636; when asked, save this public CA root key to the Apache Dir Studio keystore.

    Then export this public CA root key to a file, then import this file to the local MS Windows keystore (local computer; not personal)

3) You should be able to now connect with no issue.

Validate no issues with 3rd party LDAP tools and then with IMPS.

If there is any issue with IMPS, bounce the im_ccs NT service  (net stop im_ccs   / net start im_ccs).

See if this helps.

A.

Edit:   View of the recommended 3rd party LDAP client tools to help isolate the AD DC server public CA root cert.

http://www.ldapadministrator.com/download.htm     Select LDAP Browser 4.5 TAB & 64-bit English Download (then install)

 May also select SoftTerra LDAP Admin (free for 30 day use; then pay for a full feature ldap admin update tool)  

http://directory.apache.org/studio/downloads.html   (Requires JDK to be installed & with environmental variable JAVA_HOME defined)

http://directory.apache.org/studio/download/download-windows.html

Thanks Alan.

Team,

Just to build on to this conversation.

To lower risk for customer projects and/or role engineering exercises, a project task to "pull" non-PII / privacy information from production AD userstores should be added.

Three (3) objectives:  

1- Pull AD DIT structure (only OU structures),

2- Pull AD users (non-privacy select fields)

3- Pull AD groups (select fields),

::LDIF Extract to pull ADS Domain OU/DIT structure
ldifde -f %ts%_ADS_Domain_DIT_Export.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(objectcategory=organizationalUnit)" -l "cn,objectclass,ou"

::LDIF Extract to pull ADS Domain User Objects with select attributes
ldifde -f %ts%_ADS_Users_Select_Fields.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(&(objectCategory=person)(objectClass=User)(displayName=*))" -l "cn,givenName,description,memberOf,samAccountName,sn,homeDirectory,homeDrive,primaryGroupID,uid,employeeid,userAccountcontrol,homeMTA,homeMDB"

::LDIF Extract to pull ADS Domain Group Objects with select attributes
ldifde -f %ts%_ADS_Export_Groups.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(&(objectCategory=group)(objectClass=Group)(displayName=*))" -l "cn,displayName,description,whenCreated,whenChanged,memberOf,member"

These SAME files can be used to import into the new lab AD Domain for validation of use-cases.

Customers may reduce the data provided, if their enterprise architecture team has concerns on PII or privacy, with the acknowledgement of increase business risk if too much information is masked or hidden.   

Note:  MS tools LDIFDE.exe and CSVDE.exe existing on MS Windows Server 2012 + by default.   Or may be pulled from any AD DC server.

Any AD Domain authenticated user (non-admins) will have access to this information.  This information is how corporate address books are build.   This information is considered non-sensitive from an active directory domain architectures.

See attachment, that will include all three (3) examples:

-Alan

Any feedback is appreciated.