Re: schannel failure between AD CA and NT Domain
From: Paul Landry (plandry@frametech.com)
Date: 05/09/02
- Next message: Shaolin Tiger: "Re: Connecting internal network to the Internet"
- Previous message: neo [mvp outlook]: "Re: Connecting internal network to the Internet"
- In reply to: D. Cross [MS]: "Re: schannel failure between AD CA and NT Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul Landry" <plandry@frametech.com> Date: Thu, 9 May 2002 09:37:33 -0400
Hi David,
The CA is showing up in the Trusted Root Certification Authorities Tab, on
the Certificates Dialog of the Internet Properties Screen.
Also each server has personal certificates as well.
I have not added the CA to the Intermediate Certification Authority yet.
BTW, on the CA Server itself, which is also the main server for the AD, the
CA that I created shows up three times in the Trusted Root Certification
Authority Tab. Is this normal?
Thanks
Paul
I had imported the
"D. Cross [MS]" <vaq130@hotmail.com> wrote in message
news:O6OJzEr9BHA.2432@tkmsftngp03...
> Is the root CA certificates trusted on both the client and server
machines?
>
> --
>
> David B. Cross [MS]
>
> --
> This posting is provided "AS IS" with no warranties, and confers no
rights.
>
> "Paul Landry" <plandry@frametech.com> wrote in message
> news:OhRhVvg9BHA.2608@tkmsftngp07...
> > Hi All,
> > I have a test lab, which contains an Active Directory domain (
> > lab.frametech.com ).
> > On the AD Controller for this domain( Advanced Server 2000 SP2 + All
> > Hotfixes as of today ), I have installed the Windows Certificate
> Authority.
> > I am testing out LDAP connections to the AD on this machine.
> > In non-secure mode, I can create an LDAP connection no problem, and
> retrieve
> > info.
> > In SSL mode, any client/server that is part of the AD can create a
secure
> > connection to the retrieve info.
> > Any client/server that is not part of the AD is unable to create a SSL
> > connection.
> > On a Win2KPro SP2 ( + all current Hotfixes ) client, the event log shows
> the
> > following error.
> > "Source : SChannel Event ID: 36876
> > The certificate received from the remote server has not validated
> correctly.
> > The error code is 0x80090327. The SSL connection request has failed. The
> > attached data contains the server certificate."
> > Looking in the MS knowledge-base I see KB Q288100, which was fixed in
SP2.
> > I've verified that the dll's mentioned are the same or newer than those
> > mentioned in the KB article.
> >
> > The client connection problem seems to stem from the fact that the
client
> > are in an NT 4.0 Domain ( FRAMETECH.LEB ). The NT 4.0 Domain Controller
is
> > SP6a + all current hot fixes. I have two-way trusts established between
> the
> > FRAMETECH.LEB and lab.frametech.com domains.
> > Also, all FRAMETECH.LEB Domain Users have Administrator Authority to the
> > lab.frametech.com directory.
> >
> > From the FRAMETECH.LEB clients, I can request and install Certificates
> from
> > the lab.frametech.com Certificate Server.
> > I've set up the lab.frametech.com certificate authority as a Trusted CA,
> and
> > all certificates, and revocation lists have appeared to install
properly.
> >
> > However, I can not get an SSL connection to work between any machine
> outside
> > of the lab AD.
> >
> > I also have an iPlanet 5.1 Directory Server, running on a Solaris box,
for
> > which I've issued certificates to, as well, with the same result.
> > I had tried to run iPlanet on an NT 4.0 SP6a box, but anytime I tried to
> > installed a Certificate, issued by the lab AD, the NT box GPF's.
> > But that's another bridge to burn.
> > If I can get the cross-domain issue first, I can move on to the next
> > problem.
> >
> > Anybody have any ideas on this one?
> >
> > Thanks
> >
> > Paul Landry
> > QA/Test Lab Manager
> > Framework Technologies Corp.
> >
> >
>
>
- Next message: Shaolin Tiger: "Re: Connecting internal network to the Internet"
- Previous message: neo [mvp outlook]: "Re: Connecting internal network to the Internet"
- In reply to: D. Cross [MS]: "Re: schannel failure between AD CA and NT Domain"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
