joeware - never stop exploring... :)

Information about joeware mixed with wild and crazy opinions...

Warning: Upcoming LDAPS change in WLDAP32.DLL in Windows Server 2003 SP2…

by @ 12:09 am on 8/24/2006. Filed under tech

There is an interesting conversation that spun up over on activedir.org when someone needed to troubleshoot an LDAPS issue when querying an AD DC through a firewall.

The issue ended up being due to not having the certificate chain (i.e. didn’t trust the root) installed on the client machine but it flushed out a change that will likely be in Windows Server 2003 SP2 WLDAP32.DLL which is the LDAP client DLL used by most Windows LDAP based applications.

Any folks who follow the AD world are probably aware of Steve Linehan, he is pretty active on the ActiveDir Org list. Steve is with Microsoft and an excellent resource especially when you are trying to bail your butt out of some sort of problem. He is also an extremely personable and nice guy, I was lucky enough to meet him in person finally at DEC 2006 last March after dealing with him over email and I think the phone for years. Anyway, Steve let us in on a little “secret”. 

Currently WLDAP32 does NOT check the CRL. Let me repeat, the library DOES NOT CHECK THE CRL when connecting via LDAPS. This is going to change in a post SP1 QFE and in Windows Server 2003 SP2. If you have apps that run on Windows Server 2003 that use LDAPS and CANNOT reach the CRL, your app may break once SP2 is applied. This depends entirely on the implementation of this fix. I responded to Steve’s email with another email asking for clarification on how this will be implemented but it is possible that info won’t be released yet. If done properly, IMO, there would be a new reg key that you can set that will either enable or disable the functionality so you can control being broken w/o having to back out the Service Pack. At least on OSes that would be updated with this change with an SP instead of a fresh new install (XP/2003).

Speaking of fresh new installs… once this change finds its way into the base source, it will most likely show on the Windows Client and later Windows Server OSes so Windows Server 2003 SP2 is simply the first place it will be seen, not the last.

The link to see exactly what Steve said – http://www.activedir.org/ml/msg13034.aspx

ASID: The link to an email from yours truly with a little network trace info for trying to identify some LDAPS issue – http://www.activedir.org/ml/msg12982.aspx 

  joe

Rating 3.00 out of 5

Comments are closed.

«
»

[joeware – never stop exploring… :) is proudly powered by WordPress.]