Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

Secret Server and Secure LDAP

Written by Thycotic Team

July 23rd, 2012

This blog post was originally written in 2012.  For the most up to date information on Secret Server and Secure LDAP, please visit:

Secret Server Features Page: Our features are among the reasons so many IT Admins and IT Security pros consider Secret Server the best Privileged Access Management software in the market.  Find information on the key features available in each version of Secret Server.

Getting Started Tutorial: Secret Server is a powerful solution with many facets. As such, we have created this guide, which is an introductory tutorial for new users. The tutorial suggests an order to learn topics and points to specific sections for more detail.  This tutorial is oriented toward system administrators and other technical professionals. We recommend that non-technical users start with our End User Guide (link above).

In April 2012, we released Secret Server v7.8.000036. This was the first release to include support for Secure LDAP often referred to as LDAPS (and not to be confused with SLAPD!) Subsequent releases of Secret Server will support LDAPS. Since the release of LDAPS, it has remained a bit of an unintentional secret (no pun intended). If you have Secret Server installed, check to see if you can enable Secure LDAP in your environment.

Using LDAPS:

Upon installation, Secret Server will use port 389 for LDAP traffic to Domain Controllers. This does NOT mean passwords are transmitted in clear text. It means that user and group names will be translated in clear text. Passwords will be transmitted using Kerberos/NTLM. However, with LDAPS available, all traffic including the user and group names will be encrypted.

Before enabling LDAPS, there is one feature that can potentially be affected. If you are using a Domain Controller on Windows Server 2008 R2, Integrated Windows Authentication is supported with Secure LDAP. However, if you are using Windows Server 2008 or older, Integrated Windows Authentication will have to be disabled when Secure LDAP is used.

How to enable LDAPS:

  1. Click on Administration -> Active Directory -> Edit Domains -> Select the domain you wish to edit (you can also create a new one here.)
  2. Click on Advanced as highlighted in the figure below.
  3. Put a check in the Use LDAPS box.
  4. Click Save And Validate.
 

Like this post?

Get our top blog posts delivered to your inbox once a month.

SHARE THIS