Видео

@@sashalexander7750 thanks for watching! Glad it was helpful

Thanks for watching! If you select PEAP they will be prompted to enter credentials. Use Smart Card or Ofher certificate and Computer Authentication in your settings. Also select the certificate authority so it knows the certificate to auto-choose.

@@CardinS2U thanks for watching! Glad it was helpful

@@MourningDove1990 the terms are used interchangeably. The protocol was called LDAP over SSL before TLS existed. It does technically use a TLS connection not an SSL one

@@websupport-b1s thanks for watching! I don’t have any experience with Chromebooks honestly. I think they are designed to be website based only so I am not sure how they handle file server communication

@@TechWorldwithPankaj thanks for watching glad it was helpful!

@@mirzairfan3426 thanks for watching! Glad it was helpful

@@wahferreira thanks for watching! Port 389 is still going to be used. The only thing that gets encrypted are LDAP Bind requests. HTTP has options to communicate such a GET POST HEAD PUT OPTIONS. Bind is the LDAP equivalent to one of those which is authentication only

Thanks. So the communication will still happen over port 389, but now the information will be encrypted. Is that it? Now I need to go to the next level. Leave the DNS exposed only as Authoritative DNS and recursive only locally.

@@wahferreira correct with the GPO setting on the windows clients they will use ldaps for ldap bind requests whenever they occur. Third party services will need to be pointed to port 636 and trust the CA that issued the LDAPS certificate.

@@OsbornePro Thanks

@@vaibhavkapoor1987 thanks for watching! Glad it was helpful

@@tremblayd76 hey thanks for watching! You do not need to install the AD LDS role but if you want to use LDAPS on all your DCs you will need to assign each one an individual LDAP certificate and attach it to the NTDS service on each DC. Typically third party devices and apps that aren’t windows require ldap binds for authentication and need to be configured to point to a specific DC. If you want more than one DC to handle this you will want to setup LDAPS on each

@@OsbornePro Thanks a lot... another thing, when we activate the "Negociate signing" on the client, is it trying to secure the connexion first (636) and if not drop to 389 ? I did activate it on my computer and it does not try to securely authenticate, it's stays on LDAP 389.

@@tremblayd76 normal LDAP communication will still happen on port 389. Any LDAP born requests performed will use LDAPS on 636 is what will happen there

@@HSula-jj2wn thanks for watching! You can use RADIUS authentication to login to a Cisco switch however they are only capable of using PAP for credentials and certificates can’t be used. It is still utilized in environments since LDAP is not an option for SSH access.

@@OsbornePro thanks a lot for the answer. Cheers!

Thanks for watching! The certificate I select I have had to choose by its expiration date. I use the RADIUS Server certificate template for that. In this video I made a cert that could be used by both the server and client. In this case I would have selected that one. It is okay to do. For least priv purposes it’s best to have a separate template for server and client

@@OsbornePro Appreciate the feedback. I was not 100 percent sure. I thought it might be best to just setup a cert template for just the radius server that way its not using same cert the clients are using as I currently have the validity period set to 3 months and the renewal period set to 2 months. It may cause issues once I deploy to production if my radius server cert is using the same as the clients.

@@TheMeMo1999 thansk for watching glad it was helpful!

@@ryanmcguire2578 thanks for watching! Yes they will automatically connect to wifi once setup

@OsbornePro ok I had set the up previously on a different dc, and my first test user I had to hit connect for them to connect, in the cert authority should each computer have 2 certs listed?

@@ryanmcguire2578 if you have two certificates on a device capable of being used for radius auth from the same certificate authority. In your client wireless profile you define the CA that assigned the certificate to auto select from. If you have two they may prompt you to

​@@OsbornePro I have my original cert authority setup on server 2016(going to decommission) which is still active and it has both certificate templates for radius server client and computer(machine) on it but my server 2022, the new CA only has the radius server client cert template listed for this user

@@OsbornePro sent you an email if you have a chance to take a look...thank you

Thanks for watching! I do not have a video like that. You want your CA to not have any other services on it. It should just do CA stuff. The best practice that is rarely followed is to have an offline root CA server non-domain joined. Then have an Intermediate CA attached to that which is domain joined. Require NTLMv2 authentication to it. Use SMBv2 and v3 with required signing. Biggest threat to your domain with a certificate authority are Certificate Templates. The guys who wrote an exploit tool called Certify have a white paper that is well worth the read to see the do not so certificate template making. You can run the tool to discover vulnerable certificates on your CA if you are ever unsure

@@faizankhanseo4639 thanks for watching! No it is not. Lazesoft has a free one I believe still

@@OsbornePro yes lazesoft is free you are right thanks 👍🏼🙏🏼

@@shinshen9020 thanks for watching! Yes a Mac can bind to a Windows domain. There is more info on how that is done and requirements in this article. onmac.net/how-to-join-mac-to-windows-domain/

Thanks for watching! I would be curious what you do for this. If you are using PEAP I would think trusting the Root CA and a domain trust would be required between the two domains so the user accounts can be found. For EAP-TLS you probably need a non-domain joined CA to issue certs to both domains in order to accomplish that

@@pstz_800 thanks for watching glad it was helpful!

@@BGPNetworks thanks for watching! It is not recommended to user your DC as a CA however, that should not affect the setup. The CA cert still needs to be trusted by the server and clients. It is still able to do what you need it too

@@filipfabicevic3077 thanks for watching! The DHCP server is registering the domain and IP resolution on behalf of the client so as long as the client can get a DHCP address it should work. It sounds like you need to set an ip helper-address on the switch for that VLAN. Make sure the forward look up zone exists on the DHCP server also. In the DNS server check your security settings to see if there are restrictions and what subnets allow updates

@@rakesh4a1 thanks for watching! FTP over SSL is not capable of key authentication, only FTP over SSH can use certificates for authentication. FTP over SSL to FTP is the equivalent of what HTTPS is to HTTP. The user tobor does not have a certificate assigned. You will need to create the ftpsecure user. It is used for limiting permissions and employing least privileges.

I put this script together to auto-install using a secure method. If the vsftpd service fails to start it is because UTF8 is no longer an option to set on certain Linux distro github.com/OsbornePro/ConfigTemplates/blob/main/vsftpd-installer.sh

@@vladimirarias-antonov9584 thanks for watching! I would suggest taking a look at this article for the NPS side of things documentation.meraki.com/MS/Access_Control/Configuring_Microsoft_NPS_for_MAC-Based_RADIUS_-_MS_Switches

Thank you this is great

@@KhalidAmin-f7x thanks for watching, sounds like the same thing I have seen with Macs. If you check the NPS event logs it probably says it can’t find the account. If that is the case you won’t be able to use EAP-TLS to authenticate Linux devices unless they are domain joined

@@hichamlyaacoubi1196 thanks for watching! There is a registry value you can at on the NPS server to define what version you want to use if you want to make sure a modern one is used support.microsoft.com/en-us/topic/microsoft-security-advisory-update-for-microsoft-eap-implementation-that-enables-the-use-of-tls-october-14-2014-d9ba4b83-b4e9-2c01-83a7-e42706e671af

@@marcusjackman1487 thanks for watching glad it was helpful! Haha I do not unfortunately. The Apache documentation is very extensive. The things I have learned came from doing hackthebox labs and configuring apache for different web services. I don’t know a good source out there for it so I put this together to share things I have run into

Thanks for watching! Glad it was helpful

Thanks for watching! No the students will not be able to download and install the certs on their phone; the important part for you to achieve that is when creating the device certificate template on your CA, the private key can not be marked as exportable. Once the certificate is assigned it will only be able to be used on the device it is assigned too. Also, the device hostname will have to match the subject name of the certificate. You can use PEAP certificates for deployment on a per user basis. However, making the key non-exportable in that situation means only one certificate goes to a user. That one certificate can only be used on the device that received it for that particular user. For example the students will not be able to use a second device like a laptop and desktop. EAP-TLS/Device Certificates allow you to authenticate devices. Users can access a device and that device can access the network. For your situation if possible I would use Aruba as a certificate authority with EAP-TLS for device authentication. The reason being is you may run into issues with devices that are not domain joined using certificates from a domain joined CA to authenticate. The account/user will not be found in AD and dummy accounts will not resolve the issue.

Thanks for watching! Yes you can. Just have to assign each DC its own LDAPS certificate where the FQDN of each individual DC is in the Subject of the certificate.

Thanks for watching! Glad it was helpful

Lol of course don't want anyone researching to get sick! Thanks for watching!

Thanks for watching. If you are running the nltest command on a device that is NOT a Windows Domain Controller there may be an issue with the trust or there is something up with the certificate trust on the client. Either of the below commands can be used to repair the trust. nltest /sc_reset:YourDomain.com Test-ComputerSecureChannel -Repair -Verbose # Run on the client device in admin powershell window Otherwise look at the System logs in Event Viewer after you do the above. Look for any events related to secure channel issues, likely with a the source Netlogon. This may help identify what exactly the trouble is.

@@OsbornePro ok thank you very much for your response. I will try to execute the commands. I just forgot to mention that i tried executing the command on a windows 11 in the same network and domain, on a windows 11 in another network (through internet) and on the DC itself. I got the same error in every case. Oh and the DC is also the DNS server

@@OsbornePro but my main issue is how to make LDAP work with iOS because iOS devices somehow dont send bind requests, only search requests from what i see through Wireshark. So i was trying to connect with SSL but apparently the iphone doesn't recognize the certificate. In Wireshark, we can see a "Unknown certificate" error.

@@aliounethiaw1443 if you are not seeing bind requests from the iOS devices they are not trying to perform authenticated searches. They may need an LDAP profile of some sort with credentials specified typically using the distinguished name as the username. An MDM solution will need to be used to push out the Root CA certificate to the devices trusted machine certificate store.

@@OsbornePro so i need to manually register the phone in the LDAP server using the phone's name and a password as credentials, then install the certificate on the phone via an MDM. And then i try to connect using the phone's credentials instead of the user's credentials. Is that what you mean?

Thanks for watching! I would still assign the server to the DnsUpdateProxy group. If there ever comes a time when the role is moved off the server, it can be seen the current server is a member of that group and it will make whoever looks at it take notice possibly preventing or shortening a resolution. Twenty years from now some IT guy will say thank you Wyatt. This is not needed however when you issue that command. The link below references if that helps you decide whatever is best for you. Your summary of actions looks complete to me and yes use "dnscmd /config /OpenAclOnProxyUpdates 0" since your DC is also a DHCP server. Here is a link to Microsoft's mention of this learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/ff631099(v=ws.10)#summary

@OsbornePro awesome! Thank you! This was the first video of yours that I have seen and it was perfect. Explain everything so well. Will definitely recommend to others and watch more of your tutorials!

Thanks for watching! A valid certificate is typically selected automatically however, its not perfect. Yes you should select the certificate to use on the RADIUS server in the network policy. I forgot to cover this in the video. I updated the description of the video to make mention of this in case someone reaches out to me having that issue. I can also get a quick copy paste responding to emails.

I finally figured it out. My CA root certificate was expired. Once it is renew, I see the LDAP certificate is now available.

Thanks for watching! Right on appreciate you sharing that. My approach would have been checking RPC and Windows Firewall. That did not even cross my mind.

Thanks for watching! Glad it was helpful

Thanks for watching! What I have found with non-domain joined Apple devices is they require a non-domain joined Root CA with a domain joined Intermediate CA. The non-domain joined Root CA is for issuing certs to Apple devices not on the domain. The domain joined intermediate is for auto-management of the Windows RADIUS client certificates. Of if you have something like Cisco ISE to act as a CA that issues certs to those devices that can work. If you just have a domain joined Root CA that assigns a device certificate to a non-domain joined Apple device, the authentication fails saying no matching account could be found. I have tried creating dummy accounts etc but nothing worked for me.

Thanks for watching! Very happy it was helpful

Thanks for watching! That I am not sure. By default you should have default certificate authorities that exist in both the Trusted Root Certificate Authorities and Intermediate Certificate Authorities stores. If there is nothing there maybe the Windows store is not used for trust and some other technology is handling that? If you want to get your domains Root CA, remote into the Root CA server and open Command Prompt or PowerShell. Then execute the below command mkdir C:\Temp # Creates a directory if it does not exist certutil -ca.cert C:\Temp\RootCA.cer # Exports your domains Root CA certificate to a file that you can import into the trusted stores Once you have the RootCA.cert file you can open certlm.msc and import it into the Trusted Root Certificate Authorities store

Thanks for watching! Glad it helped to get your VM started like you want!