Otdfbt

Command of files and size

What is the logic behind charging tax _in the form of money_ for owning property when the property does not produce money?

Do you need to let the DM know when you are multiclassing?

That's not my X, its Y is too Z

How durable are silver inlays on a blade?

Does the new finding on "reversing a quantum jump mid-flight" rule out any interpretations of QM?

How do we say "within a kilometer radius spherically"?

C++ logging library

How can one's career as a reviewer be ended?

What STL algorithm can determine if exactly one item in a container satisfies a predicate?

Transfer custom ringtones to iPhone using a computer running Linux

Is Lambda Calculus purely syntactic?

Tikz-cd diagram arrow passing under a node - not crossing it

Accessing /systemTopic/ streaming channel

Proving that a Russian cryptographic standard is too structured

How far would a landing Airbus A380 go until it stops with no brakes?

Is there a DSLR/mirorless camera with minimal options like a classic, simple SLR?

Are polynomials with the same roots identical?

What would be the way to say "just saying" in German? (Not the literal translation)

Do you have to have figures when playing D&D?

How can I remove material from this wood beam?

What is the Leave No Trace way to dispose of coffee grounds?

Why is long-term living in Almost-Earth causing severe health problems?

Use 1 9 6 2 in this order to make 75

How to enable LDAP over SSL/TLS in AD without installing AD Certificate Services

Windows 2003 Domain - Certificate Authority - New Automatic Certificate RequestAuthenticate VPN with Active Directory and Sonicwall TZ 200 Device?Certificate Template Missing from “Certificate Template to Issue”How are my VPN tunnels being routed from both ends?ISAPI filter with LDAP over SSL only works as administratorCreate and use intermediate certificate authority on Windows Server 2012?AD Certificate Templates does not appearUnnecessary Certificate Authority in DomainRADIUS w/ NPS, Sonicwall, and Meru WirelessRenaming of domain in Active Directory with Certificate authority

.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty height:90px;width:728px;box-sizing:border-box;

1

I am installing a Sonicwall firewall into my organization. I've connected the Sonicwall with the Active Directory domain, however now on the status page of the appliance there is a huge warning:

WARNING: LDAP is being used without TLS - this is highly insecure.

I understand that connection between the FW and the DC is made with clear text and although this is not much of a problem because the Sonicwall and the Domain Controllers are in the local network and in the same subnet, we still want to encrypt the traffic to comply with our regulations.

As I made my search on other forums people are mentioning that I need to apply a certificate to the Domain Controller as per this MS article which is also mentioning the installation of AD Certificate services.

Is there any other way to do encrypt the LDAP traffic without installation of the additional role (AD CS) on the Domain Controller? Installing additional role to the Domain Controller, just for one simple task seems like an overkill to me - like nailing a needle with a sledgehammer.

Also If I am really to install and deploy a Certification Authority to our organization what would be the impact on it? I don't have experience working with it, so are there any implications and/or problems for which I am to be aware of?

active-directory encryption certificate-authority sonicwall ad-certificate-services

share|improve this question

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

add a comment | 

1

I am installing a Sonicwall firewall into my organization. I've connected the Sonicwall with the Active Directory domain, however now on the status page of the appliance there is a huge warning:

WARNING: LDAP is being used without TLS - this is highly insecure.

I understand that connection between the FW and the DC is made with clear text and although this is not much of a problem because the Sonicwall and the Domain Controllers are in the local network and in the same subnet, we still want to encrypt the traffic to comply with our regulations.

As I made my search on other forums people are mentioning that I need to apply a certificate to the Domain Controller as per this MS article which is also mentioning the installation of AD Certificate services.

Is there any other way to do encrypt the LDAP traffic without installation of the additional role (AD CS) on the Domain Controller? Installing additional role to the Domain Controller, just for one simple task seems like an overkill to me - like nailing a needle with a sledgehammer.

Also If I am really to install and deploy a Certification Authority to our organization what would be the impact on it? I don't have experience working with it, so are there any implications and/or problems for which I am to be aware of?

active-directory encryption certificate-authority sonicwall ad-certificate-services

share|improve this question

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

add a comment | 

I am installing a Sonicwall firewall into my organization. I've connected the Sonicwall with the Active Directory domain, however now on the status page of the appliance there is a huge warning:

WARNING: LDAP is being used without TLS - this is highly insecure.

I understand that connection between the FW and the DC is made with clear text and although this is not much of a problem because the Sonicwall and the Domain Controllers are in the local network and in the same subnet, we still want to encrypt the traffic to comply with our regulations.

As I made my search on other forums people are mentioning that I need to apply a certificate to the Domain Controller as per this MS article which is also mentioning the installation of AD Certificate services.

Is there any other way to do encrypt the LDAP traffic without installation of the additional role (AD CS) on the Domain Controller? Installing additional role to the Domain Controller, just for one simple task seems like an overkill to me - like nailing a needle with a sledgehammer.

Also If I am really to install and deploy a Certification Authority to our organization what would be the impact on it? I don't have experience working with it, so are there any implications and/or problems for which I am to be aware of?

active-directory encryption certificate-authority sonicwall ad-certificate-services

share|improve this question

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

WARNING: LDAP is being used without TLS - this is highly insecure.

share|improve this question

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

share|improve this question

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

asked Sep 9 '15 at 10:37

SpiritSpirit

74462343

1 Answer
1

active

oldest

votes

0

TLS requires certificates. If you don't want to install and manage your own CA, purchase/acquire a certificate from a public CA.

share|improve this answer

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  We can't .. the domain is like dc.domain.local
  
  – Spirit
  Sep 9 '15 at 13:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html. In that case, I would suggest turning up a VM and implement your own CA. For a small organization with limited certificate usage, it isn't that difficult. If you want computers to have auto-enroll capability, it would need to be an Enterprise CA (not Standalone).
  
  – Greg Askew
  Sep 9 '15 at 13:38
  

  
  
  
  

add a comment | 

Your Answer

StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "2"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: true,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: 10,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);

draft saved

draft discarded

Sign up or log in

StackExchange.ready(function ()
StackExchange.helpers.onClickDraftSave('#login-link');
);

Sign up using Google

Sign up using Facebook

Sign up using Email and Password

Post as a guest

Name

Email

Required, but never shown

StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fserverfault.com%2fquestions%2f721142%2fhow-to-enable-ldap-over-ssl-tls-in-ad-without-installing-ad-certificate-services%23new-answer', 'question_page');

);

Post as a guest

Name

Email

Required, but never shown

0

TLS requires certificates. If you don't want to install and manage your own CA, purchase/acquire a certificate from a public CA.

share|improve this answer

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  We can't .. the domain is like dc.domain.local
  
  – Spirit
  Sep 9 '15 at 13:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html. In that case, I would suggest turning up a VM and implement your own CA. For a small organization with limited certificate usage, it isn't that difficult. If you want computers to have auto-enroll capability, it would need to be an Enterprise CA (not Standalone).
  
  – Greg Askew
  Sep 9 '15 at 13:38
  

  
  
  
  

add a comment | 

0

TLS requires certificates. If you don't want to install and manage your own CA, purchase/acquire a certificate from a public CA.

share|improve this answer

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770

• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  We can't .. the domain is like dc.domain.local
  
  – Spirit
  Sep 9 '15 at 13:32
  

  
  
  
  


• 
  
  
  

  
  

  
  
  
  
  
  

  
  
  mdmarra.com/2012/11/why-you-shouldnt-use-local-in-your.html. In that case, I would suggest turning up a VM and implement your own CA. For a small organization with limited certificate usage, it isn't that difficult. If you want computers to have auto-enroll capability, it would need to be an Enterprise CA (not Standalone).
  
  – Greg Askew
  Sep 9 '15 at 13:38
  

  
  
  
  

add a comment | 

TLS requires certificates. If you don't want to install and manage your own CA, purchase/acquire a certificate from a public CA.

share|improve this answer

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770

share|improve this answer

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770

answered Sep 9 '15 at 12:50

Greg AskewGreg Askew

29.4k33770