Layer7 Identity Management

Expand all | Collapse all

IMAG:  Active Directory Lab Env. with SSL/TLS Certs

  • 1.  IMAG:  Active Directory Lab Env. with SSL/TLS Certs

    Posted 08-08-2016 05:44 PM

    Team,

     

    To stay proficient with the broad security space and integration with the client/server world + cloud apps.; it is very valuable to setup your own lab environments, not only of CA solutions but likely userstores/applications that would be managed for customer use-cases.   A very common use-case, is management of one or many ADS domains, with or without an Exchange Domain.

     

    If you don't have access to a MSDN license or a company approved server key, you can leverage MS 180-day license for MS Window Servers or even the unlimited licenses for Hyper-V or Release Candidates (later versions).

     

    Example:  MS Windows 2012 R2

     

    Try Windows Server 2012 R2 | TechNet Evaluation Center

     

    You may use Vmware Workstation / ESXi  or  MS VHD Server to deploy a clean image of MS Windows OS.

     

    1) After installing the OS, you may wish to declare this OS to be your base OS; and update it accordingly with MS Windows Updates & MS Defender (or other A/V solution).

    -     With this base image, I like to install a 2nd local Admin Account &  a few adjustments

    net user  idmadmin Password01 /add

    net localgroup administrators idmadmin /add

    ..\windows_2003_resource_kit\ntrights.exe -u idmadmin +r SeServiceLogonRight

    -    Add a 2nd NIC to the OS Image (Create a Vmware network host-only network w/o dhcp & address 10.10.10.x)

    -    Download and deploy MS Sysinternals Suite, especailly both ProcExplore (replace TaskManager) & BgInfo (Stamp the background image with hostname/ip/boottime) & ProcMonitor (to debug 3rd party installs)

    Sysinternals Suite

    -    Deploy .NetFramework 3.51  (use by both embedded CA components as a pre-req and for MS-SQL)

    DISM /Online /Enable-Feature /FeatureName:NetFx3  /All

    -    Deploy a 3rd party openssl binary for MS Windows x64  [Goal:  Speed up process to build certs for lab]

              https://slproweb.com/products/Win32OpenSSL.html 

     

    2) Making a clone of the MS Windows server requires an addtional step of MS SysPrep tool

         - This tool will reinitialize the MS Windows Image, to allow it to be joined to an AD domain with no impacts.

        -  If you don't plan on making more than one image, you can skip this step; and only use the base OS image you deployed.

    -  Example:     C:\Windows\System32\Sysprep\Sysprep.exe  /generalize  /quiet   /reboot

     

    3)  After your MS Windows image is rebooted, you will answer a few localization questions (language/date/etc.), then be presented with the logon prompt.   Upon Logon, rename the hostname of the image

    -  Example:

    ::Rename Hostname Options

    set NEWHOSTNAME=dc001

    ::wmic method

    wmic computersystem where name="%COMPUTERNAME%" call rename name="%NEWHOSTNAME%"

    ::Requires a reboot action

    shutdown /r /t 30

    ::netdom alternative method

    ::netdom renamecomputer  "%COMPUTERNAME%"  /NetName:"%NEWHOSTNAME%"  /Force /Reboot

     

     

    4) After the reboot, update the IP address from DHCP to STATIC and to 10.10.10.x address

    - Example:

    ::Update from DHCP IP to Static IP Address Options

    set NIC_ADP_NAME=Ethernet1

    :: set NIC_ADP_NAME=Local Area Connection

    set IP_ADDR=10.10.10.3

    set IP_MASK=255.255.255.0

    set IP_GW=10.10.10.2

    set DNS=10.10.10.3

    ::netsh method #1

    :: Display Config

    netsh interface ip show config

    :: Save Before State

    netsh -c interface dump > c:\%COMPUTERNAME%_NIC_before_state.txt

    :: Update IP Address

    netsh interface ip set address name=%NIC_ADP_NAME% static %IP_ADDR%  %IP_MASK%  %IP_GW%  1

    ::Netsh method to update DNS to static addresses

    netsh interface ip set dns %NIC_ADP_NAME% static %DNS%

    netsh interface ip set wins %NIC_ADP_NAME% static %DNS%

     

     

    5) No reboot is required for the ip refresh; after the above step, lets ensure that MS Windows Update is working correctly.

    - Example:

    ::Scan & find latest patches

    wuauclt.exe  /DectectNow   /ReportNow

    ::Force update after scan

    Wuauclt.exe  /UpdateNow  

    ::Show Update GUI

    Wuauclt.exe    /ShowWU

     

     

    6)  Create a new MS Active Directory Domain on the MS Windows OS.   Update the DomainMode/ForestMode if desired; and replace the DomainName & DomainNetbiosNames for the correct domain name.

    ::Installing AD DS by Using Windows PowerShell

    ::Beginning with Windows Server 2012 , you can install AD DS using Windows PowerShell.

    Install-ADDSForest `-CreateDnsDelegation:$false ` -DatabasePath "C:\Windows\NTDS" ` -DomainMode "Win2012" ` -DomainName "exchange.lab" ` -DomainNetbiosName "EXCHANGE" ` -ForestMode "Win2012" ` -InstallDns:$true ` -LogPath "C:\Windows\NTDS" ` -NoRebootOnCompletion:$false ` -SysvolPath "C:\Windows\SYSVOL" ` -Force:$true

     

    7) Reboot, then login with Administrator account; validate the server now reports it is now a DC and is a member of a domain.   Use the new MS ADS tools, of ADUC (Active Directory Users and Computers) and view the DC OU.

     

    8) Check if TCP 636 is listening with a certificate.   Use MS tool ldp.exe to connect via SSL to port 636.

    Alternatively, use:   openssl s_client -connect hostname:636 -showcerts

     

    9a) Create a CA root certificate and a signed server certificate using openssl and MS tool certreq.exe.  Goal:  Avoid using the "blackbox" wizard use of MS Certificate Authority and/or Enterprise Certificate, to allow better understanding of how certificates may be created and used for AD Domain Controller.

    Active Directory requires a SCHANNEL type SSL certificate as an option to function correctly.   To ensure this format is used, recommend having the following "request.inf" file ready, update the Subject line to the correct FQDN (dc001.exchange.lab):

     

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$"

    [NewRequest]

    Subject = "CN=dc001.exchange.lab"

    ;

    KeySpec = 1

    KeyLength = 1024

    Exportable = TRUE

    MachineKeySet = TRUE

    SMIME = False

    PrivateKeyArchive = FALSE

    UserProtected = FALSE

    UseExistingKeySet = FALSE

    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

    ProviderType = 12

    RequestType = PKCS10

    KeyUsage = 0xa0

    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

     

    9b) Steps to create a CA root certificate and server certificate for AD Domain Controller.  Note, this script has variables to be updated; and it will auto-clean itself up when run every time, as long as the "names" match.

     

    @echo on

    :: Create a CA root Certificate

    :: Set an initial openssl configuration file

    set OPENSSL_CONF=C:\OpenSSL-Win64\bin\openssl.cfg

    set FQDN=dc001.exchange.lab

    set PASSWORD=P$ssword01

     

    :: Make a output folder

    mkdir c:\temp\openssl

     

    :: Clean up Certs from prior executions / stores

    certutil -delstore  "Root" ###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###

    certutil -delstore "My" %FQDN%

     

    :: Update inf file with the latest FQDN name

    copy ADS_server_cert_request.inf   c:\temp\openssl\ADS_server_cert_request.inf

     

    :: Generate a private CA key

    cd /d C:\OpenSSL-Win64\bin

    openssl genrsa -des3 -passout pass:%PASSWORD%  -out  c:\temp\openssl\01.rootCA.key 1024

    openssl rsa -in c:\temp\openssl\01.rootCA.key -passin pass:%PASSWORD%  -out c:\temp\openssl\02.rootCA_nopassword.key 

     

    :: Create a self-signed x509 cert

    openssl req -out c:\temp\openssl\03.rootCA.crt  -key c:\temp\openssl\02.rootCA_nopassword.key -new -x509 -days 7300 -subj "/CN=###_LAB_ROOT_CA_Cert_Auth_For_Active_Directory_###"

     

    :: Execute on the Active Directory Server (DC) only

    certreq -f -new c:\temp\openssl\ADS_server_cert_request.inf  c:\temp\openssl\%FQDN%.csr

     

    :: Sign the CSR with the private CA key

    openssl x509 -req -days 3650 -in c:\temp\openssl\%FQDN%.csr  -CA c:\temp\openssl\03.rootCA.crt   -CAkey c:\temp\openssl\02.rootCA_nopassword.key  -set_serial 01 -out c:\temp\openssl\%FQDN%.crt

     

    :: On both the AD & IMPS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates)

    ::   Use either the MS GUI tool of  certlm.msc  or use the MS CLI process with certutil

    certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt

     

    :: Only on the AD server, accept the signed cert.  This MUST PASS to SUCCEED

    :: Cert will then be auto-copied to (Local Computer \ Personal \ Certificates )

    certreq -accept  c:\temp\openssl\%FQDN%.crt

    pause

     

     

    9c)   Call out this step for clarity.     On all of the IMPS & CCS Servers, import the CA root file into (Local Computer \ Trusted Root Cert Auth \ Certificates).    Use either the MS GUI tool of  certlm.msc  or use the MS CLI process with certutil

    certutil -addstore "Root" c:\temp\openssl\03.rootCA.crt

     

    Note:   This is the public CA root cert that would be copied to other 3rd party LDAP client tools as well.

     

    Note2:  Active Directory keystore has TWO (2) sections:   Current User and Local Computer.   Ensure that the public CA root certificates is published to Local Computer. 

     

    10)  Done.  Validate TCP 636 is available with a SSL Cert; may use MS LDP.  Note:  DC may not need to be rebooted/bounced.   ldp.exe

     

    11) Extra:   Create 120,000 accounts on your new AD domain with a for loop.  With example rates for commands:  dsadd user, dsmod user, net user:

     

    :: Batch Version for 120K accounts, e.g. add START in front, if wish to call from this file.

     

    :: Rate: 2 add/sec  - suggest parallel adds, e.g.  40K / 2 add/sec = 20K seconds /60  = 334 min = 5.6 hours

    ::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid aatestuser%%i -upn aatestuser%%i@exchange.dom -fn AATest -ln User%%i -display "AATest User%%i" -pwd P@ssw0rd -disabled no

    ::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid bbtestuser%%i -upn bbtestuser%%i@exchange.dom -fn AATest -ln User%%i -display "BBTest User%%i" -pwd P@ssw0rd -disabled no

    ::START FOR /L %%i in (1,1,40000) DO dsadd user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -samid testuser%%i -upn testuser%%i@exchange.dom -fn Test -ln User%%i -display "Test User%%i" -pwd P@ssw0rd -disabled no

     

    :: Rate: 30 mod/sec - suggest parallel mods, e.g. 40K / 30 mod/sec = 1334 seconds / 60 = 22 min

    ::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=AA Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

    ::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=BB Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

    ::START FOR /L %%i in (1,1,40000) DO dsmod user "cn=Test User%%i,ou=Office_002,ou=CompanyABC_Users_OU,dc=exchange,dc=dom" -desc "CHANGE VIA DSMOD QUIET" -q

     

    :: Rate: 60 mod/sec - suggest parallel mods, e.g. 40K / 60 mod/sec = 667 seconds / 60 = 11 min

    START FOR /L %%i in (1,1,40000) DO net user aatestuser%%i /comment:"NET USER"

    START FOR /L %%i in (1,1,40000) DO net user bbtestuser%%i /comment:"NET USER"

    START FOR /L %%i in (1,1,40000) DO net user testuser%%i /comment:"NET USER"

     

    12)  Test this new domain with the following tools:

    IMPS - Active Directory Endpoint (define and Explore/Correlate)

    IMPS\bin\adsldapdiag.exe  (CLI tool)

    IMPS\bin\ldapsearch.exe  (CLI tool)

    openssl s_client -connect DC_FQDN:636  -showcerts   (CLI tool)

    Jxplorer  (install/update)

    Apache Directory Studio  (no install/update + csv export)

    SoftTerra LDAPBrowser (install/read-only tool + csv export)

    OpenLDAP ldapsearch (CLI tool)

    ldp.exe  (MS ADS GUI tool)

    ADUC (MS ADS GUI tool)

     

     

    Let me know if this was valuable.

     

     

    Cheers,

     

    A.

     

     

    Edit 8/16/2016  -  Added step 9c for clarity.  Where to copy the pubic CA root cert to, local computer (aka local machine via certlm.msc)

     

     

     

     

     

    Edit:  9/28/2016  add in script to pull from current production active directory domain, to either assist with building a lab AD domain or for role engineering exercise.



  • 2.  Re: IMAG:  Active Directory Lab Env. with SSL/TLS Certs

    Posted 09-14-2016 04:45 PM

    Great article.

     

    Have a question related to enable SSL for AD Endpoint communication.
    I am setting up a environment for IdM 12.6.7 with all components (IdM Server, AdminTools, PS & Directories) in one VM.
    Endpoint -> Security tab -> checkbox for "Use LDAP - SSL Encryption (Recommended)" is not enabled. Getting error when enabling.

    When provisioning, the user gets created. But the password sent is empty due to insecure communication.

     

    Console - enabled SSL Error
    Failed to execute ModifyActiveDirectoryEndpoint. ERROR MESSAGE: Active Directory Endpoint 'Forward-ADS' modification failed: Connector Server Modify failed: code 13 (CONFIDENTIALITY_REQUIRED): failed to modify entry: eTADSDirectoryName=Forward-ADS,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@WIN2012: JNDI: Failed to activate connector on proxy connector server: [LDAP: error code 13 - Confidentiality Required] (ldaps://win2012.psdom.com:20411),

     

    VST
    Cause: Active Dir. Account 'Andre Confetti' on 'Forward-ADS' creation failed: Connector Server Add failed: code 80 (OTHER-LdapNamingException): failed to add entry eTADSAccountName=Andre Confetti,eTADSOrgUnitName=Support,eTADSOrgUnitName=Corporate,eTADSDirectoryName=Forward-ADS,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa: JCS@WIN2012: JNDI: [LDAP: error code 70 - Added object: CN=Andre Confetti,OU=Support,OU=Corporate,DC=psdom,DC=com Account control settings could not be set Reason: Unwilling To Perform The account was created but certain control settings were not set. A possible reason could be that the managed directory's native security policy requires accounts to have passwords. Because you are managing the directory using a non-secure connection, eTrust Admin creates accounts without passwords.]: failed to add eTADSAccountName=Andre Confetti,eTADSOrgUnitName=Support,eTADSOrgUnitName=Corporate,eTADSDirectoryName=Forward-ADS,eTNamespaceName=ActiveDirectory,dc=im,dc=etasa (ldaps://win2012.psdom.com:20411) Action: Assign user "Andre Confetti (conan01)" provisioning role "Help Desk"



  • 3.  Re: IMAG:  Active Directory Lab Env. with SSL/TLS Certs

    Posted 09-14-2016 05:34 PM

    Hi Sanjay,

     

    Microsoft enforces TLS over TCP 636; which implies that a public CA root key and a signed server key is required on the domain controller.   This port is required to manage the AD user profile with it's password.

     

    For the IM Provisioning Server (IMPS), it will attempt to communicate, and identify the singed server key, but if the IMPS server does not "know" the public CA cert, it will reject the communication with the above error message you have identified.

     

    The next step is to:

     

    1) Identify if the ADS Domain Controller is using a certificate.    OOTB ADS DC will NOT have a server cert/key (unless the company has deployed an MS Enterprise Domain Certificate).

     

    Use openssl (from IMPS\bin folder) to test if a certificate exists.    (see PDF attachment in the original post)

     

    2) if certs exist, we need to pull a copy of the public CA root cert; and store it in the local MS Windows Server keystore (where IMPS/CCS services are installed).

     

    a)   May request a copy from an AD Admin. 

    -   Possible challenge:  If there are OLDER public CA root keys that have not been cleaned up, it can be difficult to isolate the correct one.

    - Reminder:  you do NOT need the public server cert; only the public CA root key that signed the server cert.

     

    b)  Otherwise, use a 3rd party LDAP Admin tool that will pull the pull the public CA root key for you.   Then save it.

    The best 3rd party tools, that will assist are:

    i)  SoftTerra LDAPBrowser 4.5   (Read-Only LDAP tool / No cost / Require install on desktop)

        Connect to AD DC on port TCP 636; when asked, save this public CA root key to the SoftTerra keystore.

        Then export this public CA root key to a file, then import this file to the local MS Windows keystore (local computer; not personal)

     

    ii) Apache Dir Studio (Update Ldap tool / No cost / No install)

      Connect to AD DC on port TCP 636; when asked, save this public CA root key to the Apache Dir Studio keystore.

        Then export this public CA root key to a file, then import this file to the local MS Windows keystore (local computer; not personal)

     

    3) You should be able to now connect with no issue.

    Validate no issues with 3rd party LDAP tools and then with IMPS.

    If there is any issue with IMPS, bounce the im_ccs NT service  (net stop im_ccs   / net start im_ccs).

     

     

    See if this helps.

     

     

    A.

     

     

    Edit:   View of the recommended 3rd party LDAP client tools to help isolate the AD DC server public CA root cert.

     

    http://www.ldapadministrator.com/download.htm     Select LDAP Browser 4.5 TAB & 64-bit English Download (then install)

     May also select SoftTerra LDAP Admin (free for 30 day use; then pay for a full feature ldap admin update tool)  

     

     

    http://directory.apache.org/studio/downloads.html   (Requires JDK to be installed & with environmental variable JAVA_HOME defined)

     

    http://directory.apache.org/studio/download/download-windows.html

     

     

     

     



  • 4.  Re: IMAG:  Active Directory Lab Env. with SSL/TLS Certs

    Posted 09-14-2016 06:37 PM

    Thanks Alan.



  • 5.  Re: IMAG:  Active Directory Lab Env. with SSL/TLS Certs

    Posted 09-28-2016 03:25 PM

    Team,

     

    Just to build on to this conversation.

     

    To lower risk for customer projects and/or role engineering exercises, a project task to "pull" non-PII / privacy information from production AD userstores should be added.

     

     

    Three (3) objectives:  

     

    1- Pull AD DIT structure (only OU structures),

    2- Pull AD users (non-privacy select fields)

    3- Pull AD groups (select fields),

     

     

     

    ::LDIF Extract to pull ADS Domain OU/DIT structure
    ldifde -f %ts%_ADS_Domain_DIT_Export.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(objectcategory=organizationalUnit)" -l "cn,objectclass,ou"

     

    ::LDIF Extract to pull ADS Domain User Objects with select attributes
    ldifde -f %ts%_ADS_Users_Select_Fields.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(&(objectCategory=person)(objectClass=User)(displayName=*))" -l "cn,givenName,description,memberOf,samAccountName,sn,homeDirectory,homeDrive,primaryGroupID,uid,employeeid,userAccountcontrol,homeMTA,homeMDB"

     

    ::LDIF Extract to pull ADS Domain Group Objects with select attributes
    ldifde -f %ts%_ADS_Export_Groups.ldif -s %DCHOSTNAME% -d %ADSDOMAIN% -p subtree -r "(&(objectCategory=group)(objectClass=Group)(displayName=*))" -l "cn,displayName,description,whenCreated,whenChanged,memberOf,member"

     

     

    These SAME files can be used to import into the new lab AD Domain for validation of use-cases.

     

    Customers may reduce the data provided, if their enterprise architecture team has concerns on PII or privacy, with the acknowledgement of increase business risk if too much information is masked or hidden.   

     

    Note:  MS tools LDIFDE.exe and CSVDE.exe existing on MS Windows Server 2012 + by default.   Or may be pulled from any AD DC server.

     

    Any AD Domain authenticated user (non-admins) will have access to this information.  This information is how corporate address books are build.   This information is considered non-sensitive from an active directory domain architectures.

     

     

    See attachment, that will include all three (3) examples:

     

     

     

    -Alan

     

     

    Any feedback is appreciated.