Forum Search:
Forum.Brain-Cluster.com: Brain Cluster Technical Forum
Ultimate forum for Technical Discussions

Home » Microsoft » Windows Server » Active Directory » LDAPS on 2k3
LDAPS on 2k3 [message #159320] Tue, 28 July 2009 11:29 Go to next message
jwbernin  is currently offline jwbernin  United States
Messages: 9
Registered: July 2009
Junior Member
I've got a Windows 2003 AD server, and I want to enable LDAPS to it.
I've done this before, so I know it's possible, but I'm missing
something. I have a certificate installed, signed by a third party, and
it appears in MMC the way it should. When I attempt to ldapsearch
against port 636, I get "can't contact LDAP server". What am I missing?


--
jwbernin
------------------------------------------------------------ ------------
jwbernin's Profile: http://forums.techarena.in/members/117913.htm
View this thread: http://forums.techarena.in/active-directory/1222038.htm

http://forums.techarena.in
Re: LDAPS on 2k3 [message #159338 is a reply to message #159320] Tue, 28 July 2009 20:23 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Are there any errors in the DC machine's event log related to not being able
to use or find an appropriate SSL certificate?

The common problems would be:
- Cert WITH private key not installed in local computer store personal
container
- Intermediate CA certs missing from local machine intermediate container
(the clients need this)
- subject name on cert does not match the DNS name of the DC
- Missing server auth EKU (wrong type of certificate; this is less likely
if you got a commercial SSL cert)

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"jwbernin" <jwbernin.3w1qnb@DoNotSpam.com> wrote in message
news:jwbernin.3w1qnb@DoNotSpam.com...
>
> I've got a Windows 2003 AD server, and I want to enable LDAPS to it.
> I've done this before, so I know it's possible, but I'm missing
> something. I have a certificate installed, signed by a third party, and
> it appears in MMC the way it should. When I attempt to ldapsearch
> against port 636, I get "can't contact LDAP server". What am I missing?
>
>
> --
> jwbernin
> ------------------------------------------------------------ ------------
> jwbernin's Profile: http://forums.techarena.in/members/117913.htm
> View this thread: http://forums.techarena.in/active-directory/1222038.htm
>
> http://forums.techarena.in
>
Re: LDAPS on 2k3 [message #159341 is a reply to message #159320] Tue, 28 July 2009 21:36 Go to previous messageGo to next message
jwbernin  is currently offline jwbernin  United States
Messages: 9
Registered: July 2009
Junior Member
Actually, yes - the event log shows a Warning that "no appropriate
certificates could be found". I spent about 3 hours trying to google
that error, nd couldn't find anything other than "make sure the DNS name
matches the subject name", which I checked about 10 times, and "put the
cert in the trusted sites folder", which I did and still wasn't able to
talk LDAPS. I did see something about a DC certificate for client
authentication, but beyond a little blurb that I couldn't figure out I
saw nothing.

Sorry for sounding like an idiot here - I'm a linux guy by preference,
but I'm the only one in my group who can deal with Windows effectively
so I get thrown into the shark tank.


--
jwbernin
------------------------------------------------------------ ------------
jwbernin's Profile: http://forums.techarena.in/members/117913.htm
View this thread: http://forums.techarena.in/active-directory/1222038.htm

http://forums.techarena.in
Re: LDAPS on 2k3 [message #159363 is a reply to message #159341] Wed, 29 July 2009 06:11 Go to previous messageGo to next message
Irv  is currently offline Irv
Messages: 6
Registered: July 2009
Junior Member
I'd take a look at http://support.microsoft.com/kb/321051.
It details how to do it with a 3rd party or Microsoft CA

HTH

Irv

"jwbernin" wrote:

>
> Actually, yes - the event log shows a Warning that "no appropriate
> certificates could be found". I spent about 3 hours trying to google
> that error, nd couldn't find anything other than "make sure the DNS name
> matches the subject name", which I checked about 10 times, and "put the
> cert in the trusted sites folder", which I did and still wasn't able to
> talk LDAPS. I did see something about a DC certificate for client
> authentication, but beyond a little blurb that I couldn't figure out I
> saw nothing.
>
> Sorry for sounding like an idiot here - I'm a linux guy by preference,
> but I'm the only one in my group who can deal with Windows effectively
> so I get thrown into the shark tank.
>
>
> --
> jwbernin
> ------------------------------------------------------------ ------------
> jwbernin's Profile: http://forums.techarena.in/members/117913.htm
> View this thread: http://forums.techarena.in/active-directory/1222038.htm
>
> http://forums.techarena.in
>
>
Re: LDAPS on 2k3 [message #159376 is a reply to message #159363] Wed, 29 July 2009 07:16 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
So, just to review:

The cert is really in the LOCAL MACHINE store "personal" container (not the
Current User store)
The Windows UI says "this certificate has a private key" when you open the
certificate
The Windows UI shows the certificate as "ok" and the path tab shows the full
cert chain

I'm not sure what you are talking about with "trusted sites" as there is no
container with that name that I'm aware of.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"Irv" <Irv@discussions.microsoft.com> wrote in message
news:621B3F98-EA3A-42AE-B530-C9AE04E1AEC9@microsoft.com...
> I'd take a look at http://support.microsoft.com/kb/321051.
> It details how to do it with a 3rd party or Microsoft CA
>
> HTH
>
> Irv
>
> "jwbernin" wrote:
>
>>
>> Actually, yes - the event log shows a Warning that "no appropriate
>> certificates could be found". I spent about 3 hours trying to google
>> that error, nd couldn't find anything other than "make sure the DNS name
>> matches the subject name", which I checked about 10 times, and "put the
>> cert in the trusted sites folder", which I did and still wasn't able to
>> talk LDAPS. I did see something about a DC certificate for client
>> authentication, but beyond a little blurb that I couldn't figure out I
>> saw nothing.
>>
>> Sorry for sounding like an idiot here - I'm a linux guy by preference,
>> but I'm the only one in my group who can deal with Windows effectively
>> so I get thrown into the shark tank.
>>
>>
>> --
>> jwbernin
>> ------------------------------------------------------------ ------------
>> jwbernin's Profile: http://forums.techarena.in/members/117913.htm
>> View this thread: http://forums.techarena.in/active-directory/1222038.htm
>>
>> http://forums.techarena.in
>>
>>
Re: LDAPS on 2k3 [message #159377 is a reply to message #159363] Wed, 29 July 2009 06:33 Go to previous messageGo to next message
jwbernin  is currently offline jwbernin  United States
Messages: 9
Registered: July 2009
Junior Member
Irv - I've gone through this kb article many times, I've gone through
all the steps therein, I've double-checked that I've gone through all
the steps, and this is exactly what is not working.


--
jwbernin
------------------------------------------------------------ ------------
jwbernin's Profile: http://forums.techarena.in/members/117913.htm
View this thread: http://forums.techarena.in/active-directory/1222038.htm

http://forums.techarena.in
Re: LDAPS on 2k3 [message #159390 is a reply to message #159376] Wed, 29 July 2009 09:01 Go to previous messageGo to next message
jwbernin  is currently offline jwbernin  United States
Messages: 9
Registered: July 2009
Junior Member
Joe - all three items are correct. It is in the Local Computer personal
certificate store, is shows there is a private key that corresponds to
the certificate, it shows the status is ok.

The "trusted" area is the Trusted Root Certificates certificate store,
at the same level as the Personal folder.


--
jwbernin
------------------------------------------------------------ ------------
jwbernin's Profile: http://forums.techarena.in/members/117913.htm
View this thread: http://forums.techarena.in/active-directory/1222038.htm

http://forums.techarena.in
Re: LDAPS on 2k3 [message #159395 is a reply to message #159390] Wed, 29 July 2009 10:53 Go to previous messageGo to next message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
Normally, you would not put an external end entity SSL certificate in the
trusted roots container. Instead, the issuing CA's trust root will already
be there. That's basically what you pay the CA vendor for.

However, that also should not matter. If the cert is in the right container
and has a private key and is a real SSL cert, then the DC should be able to
try to use it if the DNS name of the DC matches the subject name.

Was there any additional detail in the event log on the DC (like an error
code or something)?

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"jwbernin" <jwbernin.3w3czc@DoNotSpam.com> wrote in message
news:jwbernin.3w3czc@DoNotSpam.com...
>
> Joe - all three items are correct. It is in the Local Computer personal
> certificate store, is shows there is a private key that corresponds to
> the certificate, it shows the status is ok.
>
> The "trusted" area is the Trusted Root Certificates certificate store,
> at the same level as the Personal folder.
>
>
> --
> jwbernin
> ------------------------------------------------------------ ------------
> jwbernin's Profile: http://forums.techarena.in/members/117913.htm
> View this thread: http://forums.techarena.in/active-directory/1222038.htm
>
> http://forums.techarena.in
>
Re: LDAPS on 2k3 [message #159404 is a reply to message #159320] Wed, 29 July 2009 11:32 Go to previous messageGo to next message
jwbernin  is currently offline jwbernin  United States
Messages: 9
Registered: July 2009
Junior Member
I've solved the problem. It seems to have been two-fold... one, the
ipsCA root certificate wasn't in the MMC - I had to add it manually -
and two, I had to install the Certificate Services bits. Neither of
those items are explicitly mentioned in the Microsoft KB article. Once
I did those two things and rebooted, I can now talk LDAPS to my DC,
which makes me happy.


--
jwbernin
------------------------------------------------------------ ------------
jwbernin's Profile: http://forums.techarena.in/members/117913.htm
View this thread: http://forums.techarena.in/active-directory/1222038.htm

http://forums.techarena.in
Re: LDAPS on 2k3 [message #159419 is a reply to message #159404] Wed, 29 July 2009 14:51 Go to previous message
Joe Kaplan  is currently offline Joe Kaplan  United States
Messages: 88
Registered: July 2009
Member
I have no idea why you'd need the cert services bits. We use externally
issued SSL certs on all our DCs (>100) and haven't had to do that.

However, if you got it working, that's good.

If you were missing a cert in the chain, the certificate path dialog for the
certificate *should* have demonstrated that with the "red x" icon so I'm not
sure if we missed that or if there is some other complexity in your chain
that I didn't understand.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
"jwbernin" <jwbernin.3w3lbc@DoNotSpam.com> wrote in message
news:jwbernin.3w3lbc@DoNotSpam.com...
>
> I've solved the problem. It seems to have been two-fold... one, the
> ipsCA root certificate wasn't in the MMC - I had to add it manually -
> and two, I had to install the Certificate Services bits. Neither of
> those items are explicitly mentioned in the Microsoft KB article. Once
> I did those two things and rebooted, I can now talk LDAPS to my DC,
> which makes me happy.
>
>
> --
> jwbernin
> ------------------------------------------------------------ ------------
> jwbernin's Profile: http://forums.techarena.in/members/117913.htm
> View this thread: http://forums.techarena.in/active-directory/1222038.htm
>
> http://forums.techarena.in
>
Previous Topic:LDAPS not working
Next Topic:Event id 4 KRB_AP_ERR_MODIFIED
Goto Forum:
  


Current Time: Tue Jan 16 04:12:06 MST 2018

Total time taken to generate the page: 0.02402 seconds
.:: Contact :: Home ::Sitemap::.

Powered by: FUDforum 3.0.0RC2.
Copyright ©2001-2009 FUDforum Bulletin Board Software