Help manually assigning a certificate to an AD server for LDAP
From: Paul Landry (plandry@frametech.com)
Date: 09/06/02
- Next message: John Phillips: "Net Server Spamming"
- Previous message: T.J.: "Problem with applying Group Policy"
- Next in thread: Paul M. Landry: "Re: Help manually assigning a certificate to an AD server for LDAP"
- Reply: Paul M. Landry: "Re: Help manually assigning a certificate to an AD server for LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Paul Landry" <plandry@frametech.com> Date: Fri, 6 Sep 2002 13:54:11 -0400
Hello all,
I run a QA department's test lab.
Our developers need to test LDAP connections to Active Directory and
non-Microsoft LDAP servers. Testing has been fine until we added the
requirement to connect using SSL.
I installed Certificate Servers onto our Win2K AD Server, in the lab and set
it up a Enterprise Root Certificate.
This worked fine for Win2K Servers and clients, issuing certificates, etc.
and allowing SSL connections to the AD through LDAP.
I couldn't get any non-Win2K Servers or clients ( Win NT and Unix ) to
retrieve and install an issued certificate.
Reading on-line, I see that to support non-Win2K platforms, I must install
the Certificate Server as a Stand-Alone Root Certificate Server.
Doing this, I am able to manually issue and install certificates to my Win2K
and non-Win2K servers and workstations.
I can now access my iPlanet LDAP servers, running on NT and Solaris, through
SSL, which is great.
Here's the rub, however. I can't get a certificate installed onto the AD
server, for LDAP SSL connections. Remember that the AD server is also the
Certificate Server.
To debug the connection I'm using Win2K's Address Book, on a client.
When attempting to connect, using SSL, I get the following message in the
AD/CA server's event log.
=======================================================
Date: 9/6/2002 Source: Schannel
Time: 10:24 Category: None
Type: Error
Event ID:36870 "A fatal error occurred attempting to access the SSL server
credential private key. The error returned from the cryptographic module is
0xffffffff.
Date: 9/6/2002 Source: Schannel
Time: 10:24 Category: None
Type: Information
Event ID:36868 "The SSL server credential's private key has the following
properties:
CSP name: Microsoft RSA SChannel Cryptographic Provider
CPS type: 12
Key Name: ( lot's of numbers and letters )
Key Type: key exchange
Key Flags: 0x60
The attached data contains the certificate. ( Followed by lots of numbers
andf letters )
=======================================================
I've used the registry hack from Q... to get detailed logging.
Looking at other knowledgebase articles, I see that I have to manually
request certificate and install it. I've tried doing this, getting a
certificate, but I don't know if I'm getting the correct certificate, and
haven't been able to find where I install it.
Using the AD management screens, everything is geared to using an Enterprise
CA, and there is no information ( that I can find ) on how to manually set
up a certificate for the AD.
Can anybody point me in the right direction? I've lost too much hair over
this already.
Thanks
Paul Landry
QA Test Lab Manager
Framework Technologies Corp.
- Next message: John Phillips: "Net Server Spamming"
- Previous message: T.J.: "Problem with applying Group Policy"
- Next in thread: Paul M. Landry: "Re: Help manually assigning a certificate to an AD server for LDAP"
- Reply: Paul M. Landry: "Re: Help manually assigning a certificate to an AD server for LDAP"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
