How to Enable LDAP over TLS on a SonicWall without a ...

How to Enable LDAP over TLS on a SonicWall without a Certificate Authority (CA)

1. Log into the domain controller you wish to use for LDAP authentication and create a self-signed

certificate by opening PowerShell as an administrator and running the command below, where

dc-name. is the FQDN of the domain controller you are authenticating to. This

certificate will be good for 10 years. Modify the AddYears parameter to change the number of years.

Please note, this is a continuous string but got word-wrapped due to space. If you are going to copy

and paste, I recommend doing so into Notepad first before pasting into PowerShell.

a. New-SelfsignedCertificate -Subject dc-name. -HashAlgorithm SHA1 -KeyUsage

KeyEncipherment,DataEncipherment -KeyUsageProperty All -TextExtension

@("2.5.29.37={text}1.3.6.1.5.5.7.3.1") -NotAfter (get-date).AddYears(10)

2. Open the Microsoft Management Console (mmc.exe) and click File?Add/Remove Snap-in, add

Certificates to the Console Root, and tick Computer account. Click Next, Finish, and OK.

3. Expand Certificates (Local Computer), expand Personal if it is not already and click Certificates.

Right-click the certificate (should be the same name as what you created in Step 1) and click

Properties. Click the Extended Validation tab and type the following sequence, without quotes, into

the Add OID field: ¡°1.3.6.1.5.5.7.3.1¡±. Click the ¡°Add OID¡± button, click Apply, and click OK.

4. Right-click this newly-modified certificate and click Copy. Right-click ¡°Trusted Root Certification

Authorities¡± and click Paste.

5. Make sure you are back in the Personal store. Right-click your certificate, click All Tasks, and click

Export. The Certificate Export Wizard will open. Click Next. Make sure ¡°No, do not export the private

key¡± is ticked and click Next. Make sure ¡°DER encoded binary X.509 (.CER)¡± is ticked and click Next.

Click Browse and choose a file location that will be accessible by the SonicWall. In the File Name

field, type in a name that is meaningful, such as the name of the exported certificate, but do use

dots in the name or the .cer extension won¡¯t get added (e.g. dc-name_mydomain_com). Click Save,

click Next, and then click Finish. A window should open stating ¡°The export was successful¡±. Click

OK. Close the MMC window. Click No when prompted to save. You can wait for the certificate store

to refresh (can take up to 8 hours) or you can reboot the domain controller.

6. After the certificate store has refreshed, browse to the management interface of the SonicWall UTM

device. After you have authenticated, browse to System?Certificates. Tick ¡°Imported certificates

and requests¡± and click the Import button. Tick the ¡°Import a CA certificate from a PKSC#7 (.p7b),

PEM (.pem) or DER (.der or .cer) encoded file¡± button and click Browse. Navigate to the file location

in Step 7, select the certificate name, click Open, and click Import. Verify that the certificate has

imported.

7. Click Users?Settings, change User authentication method to ¡°LDAP + Local Users¡± and configure

the SonicWall as you normally would for this section (if you need help with this, check other

Spiceworks discussions). In the Settings tab, the ¡°Name or IP address¡± field should be the FQDN of

the DC you are using for LDAP authentication. Tick ¡°Use TLS (SSL)¡± and untick ¡°Require valid

certificate from server. Ignore any warnings and click Apply. After you have fully configured this

section, click the Test tab, type in a valid domain user account in the User field and the password for

this account. Click Test. In the ¡°Test Status¡± field, you should get the response ¡°LDAP authentication

succeeded¡±. Click Apply and OK.

 ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download