sslactive-directoryldapisapidmz

ISAPI Filter LDAP Authentication Error on DMZ Server


I am writing an ISAPI filter for a web server that we have running in a DMZ. This ISAPI filter needs to connect to our internal domain controllers to authenticate against Active Directory. There is a rule in the firewall to allow traffic from the DMZ server to our domain controller on port 636 and the firewall shows that the traffic is passing through just fine. The problem lies in the ldap_connect() function. I am getting an error 0x51 Server Down when attempting to establish the connection. We use the domain controllers IP address instead of the DNS name since the web server's outside the domain.

ISAPI LDAP connection code:

// Set search criteria
strcpy(search, "(sAMAccountName=");
strcat(search, username);
strcat(search, ")");

// Set timeout
time.tv_sec = 30;
time.tv_usec = 30;

// Setup user authentication
AuthId.User = (unsigned char *) username;
AuthId.UserLength = strlen(username);
AuthId.Password = (unsigned char *) password;
AuthId.PasswordLength = strlen(password);
AuthId.Domain = (unsigned char *) domain;
AuthId.DomainLength = strlen(domain);
AuthId.Flags = SEC_WINNT_AUTH_IDENTITY_ANSI;

// Initialize LDAP connection
ldap = ldap_sslinit(servers, LDAP_SSL_PORT, 1);

if (ldap != NULL)
{
    // Set LDAP options
    ldap_set_option(ldap, LDAP_OPT_PROTOCOL_VERSION, (void *) &version);
    ldap_set_option(ldap, LDAP_OPT_SSL, LDAP_OPT_ON);

    // Make the connection
    //
    // FAILS HERE!
    //
    ldap_response = ldap_connect(ldap, &time);

    if (ldap_response == LDAP_SUCCESS)
    {
        // Bind to LDAP connection
        ldap_response = ldap_bind_s(ldap, (PCHAR) AuthId.User, (PCHAR) &AuthId, LDAP_AUTH_NTLM);
    }
}

// Unbind LDAP connection if LDAP is established
if (ldap != NULL)
    ldap_unbind(ldap);

// Return string
return valid_user;

servers = <DC IP Address>

I have tested this code on my local machine that is within the same domain as AD, and it works, both LDAP and LDAP over SSL. We have a server certificate installed on our domain controller from the Active Directory Enrollment Policy but I read elsewhere that I might need to install a client certificate as well (for our web server). Is this true?

Also, we have a separate wordpress site running on the same DMZ web server that connects to LDAP over SSL just fine. It uses OpenLDAP through PHP to connect and uses the IP address of our domain controllers to connect. We have an ldap.conf file that with a line of code: TLS_REQCERT never. Is there a way to mimic this effect in Visual C with what I'm trying to do for the ISAPI filter? Hoping this is a programming issue more than a certificate issue. If this is out of the realm of programming, please let me know or redirect me to a better place to post this.

Thanks!


Solution

  • Solved the problem by adding the CA to the certificate store on the web server. The CA was never copied over before.