Secret Server and Secure LDAP

23 07 2012

In April 2012, we released Secret Server v7.8.000036.  This was the first release to include support for Secure LDAP often referred to as LDAPS (and not to be confused with SLAPD!)  Subsequent releases of Secret Server will support LDAPS.  Since the release of LDAPS, it has remained a bit of an unintentional secret (no pun intended).  If you have Secret Server installed, check to see if you can enable Secure LDAP in your environment.

Using LDAPS:

Upon installation, Secret Server will use port 389 for LDAP traffic to Domain Controllers.  This does NOT mean passwords are transmitted in clear text.  It means that user and group names will be translated in clear text.  Passwords will be transmitted using Kerberos/NTLM.  However, with LDAPS available, all traffic including the user and group names will be encrypted.

Before enabling LDAPS, there is one feature that can potentially be affected.  If you are using a Domain Controller on Windows Server 2008 R2, Integrated Windows Authentication is supported with Secure LDAP.  However, if you are using Windows Server 2008 or older, Integrated Windows Authentication will have to be disabled when Secure LDAP is used.

How to enable LDAPS:

  1. Click on Administration -> Active Directory -> Edit Domains -> Select the domain you wish to edit (you can also create a new one here.)
  2. Click on Advanced as highlighted in the figure below.
  3. Put a check in the Use LDAPS box.
  4. Click Save And Validate.

 

Secret Server will now attempt to use LDAPS over port 636!  As with all Secret Server updates, the release notes are always published here:  http://www.thycotic.com/Secretserver_releasenotes.html.


Comments : Leave a Comment »
Tags: , , , ,
Categories : Secret Server, Security, Tips & Tricks

Thycotic Products installed in Windows Small Business Server

16 07 2012

Thycotic Software has received several inquiries about installing Secret Server, Password Reset Server or Group Management Server in Windows Small Business Server.  For those of you who aren’t familiar with Windows Small Business Server (SBS), this is Microsoft’s description:

“Windows Small Business Server is an affordable, all-in-one solution to reduce complexity and increase manageability of server technology in a small business environment.”

SBS is not an edition of Windows Server OS, but an OS bundled with pre-configured server technologies aimed at the small business sector.  SBS has a large number of strict requirements and here is a list of the important ones:

  • Only one SBS installation per domain (other Windows server OSes are allowed.)
  • Must be the Active Directory root server and cannot trust other domains or have child domains.
  • Maximum user/workstation count is 75.
  • There are licensing restrictions and RAM restrictions (differs in versions.)
  • The SQL Server 2008 Standard is the version included with SBS 2008.

Secret Server, Password Reset Server and Group Management Server share many of the same technical requirements.  Installing any of these products in SBS would likely have the exact same challenges.  Here are the steps taken make Secret Server function in the most basic form:

  1. Start with a typical installation of SBS 2008, followed by installing Windows updates (120 of them.)
  2. Check that .NET 3.5 is updated and installed.
  3. Run SQL Server Surface Area Configuration Tool to take ownership of the preinstalled and preconfigured SBS SQL database.
  4. Run the SQL Server Configuration Manager, editing Client Protocols, services and other settings.
  5. Install Secret Server in a folder isolated from the INETPUB folder due to stock SBS pieces interfering with Secret Server pages.
  6. Edit the permissions on the isolated application folder to allow users the ability to use the application.
  7. Set the App Pool pipeline to Classic mode as it is preconfigured for Integrated mode.
  8. Specify a non-standard port for Secret Server traffic (not 80 or 443.)  These ports were already configured for SBS functionality of SharePoint, Reporting and other sites.

After the changes outlined above, the Secret Server login functioned and information was able to be stored in the password database.  However, these changes to standard functionality in SBS will break functionality in other areas.   Additionally, some of the advanced security settings for Windows found in Secret Server were not applied nor were other typical Secret Server advanced features.

Altering SBS to allow Secret Server-like applications to function requires changes that cause SBS to function as a typical Windows Server.  There is a potential to minimize some of these changes by using a database external to the SBS server.  This would likely defeat the purpose of SBS in the first place.  In summary, the recommendation is to not use SBS as the host for installing Thycotic products.  However, this could be true of many .NET web applications with a SQL database.


Comments : Leave a Comment »
Tags: , , , , , ,
Categories : Group Management Server, Password Reset Server, Secret Server


Follow

Get every new post delivered to your Inbox.