Re: failing to retrive CRL from certificate server using new LDAP
- From: Mr555 <Mr555@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 29 Aug 2006 17:18:01 -0700
Hello S. Pidgorny
I agreed with your comment, I throught I can specify any DC.
I have tried your suggestions previously it won't work. the CRL will
automaticlly updates only if I put 192.168.1.1 under LDAP Server: settings
So you don't think there are any settings that may bind to our old DC "corp"
server ? i need to specify on our new 2003DC
This is how I specify on our VPN netscreen 50 under certificate optios > CRL
settings
CRL Settings
URL Address:
ldap:///CN=company1,CN=Paul,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain1,DC=co,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
LDAP Server: 192.168.1.1
Refresh Frequency: Daily
"S. Pidgorny <MVP>" wrote:
You should be able to use any domain controller and point the LDAP url.
accordingly, like:
ldap://192.168.1.2/CN=company1,CN=Paul,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain1,DC=co,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Mr555" <Mr555@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:A622E5A1-6E88-4693-A9BB-1D7A34A390DC@xxxxxxxxxxxxxxxx
Hello
Thank you so much for your input to my questions. I am new to certificate
server, throught I just enabled the cetificate services will be OK. At the
moment our VPN is operational. the only problem (serious problem) we are
having is that it will only retrive new CRL from the certificate srever,
if I
specific the old LDAP server IP address which is 192.168.1.1 " corp server
windows 2000" we are going to demote corp server soon, I got the feeling
that
some configuration is been done on corp server., possible I have to enable
it
on Paul Server 192.168.1.2 windows 2003. I am not sure what it is . so
hopefully you will be able to help me with this.
we are using netscreen 50 as our VPN server. under certificate options on
our netscreen VPN server, a place where you have to specific the URL path,
under the netscreen documentstions it saids I must copy it from the
published
CRL locations "
URL=ldap:///CN=company1,CN=Paul,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=domain1,DC=co,DC=nz?certificateRevocationList?base?objectClass=cRLDistributionPoint";
to that location, then I have specific the Ldap ip address 192.168.1.1 to
work around
Thank you
Mr555
"S. Pidgorny <MVP>" wrote:
Which VPN server do you use and how do you configure it for CRL lookup
(if
applicable)?
What CDPs are defined in the VPN client certificate properties?
Not less important - what CDPs are defined in the VPN server certificate?
--
Svyatoslav Pidgorny, MS MVP - Security, MCSE
-= F1 is the key =-
"Mr555" <Mr555@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:63E32FFE-E2B4-4477-B6B0-3895307DF3D3@xxxxxxxxxxxxxxxx
3 months ago we migrated to windows 2003 Server.
We have moved the entire FSMO role from our old windows 2000 server
"Corp"
to our new windows 2003 Server "Paul" Paul is now the forest root of
our
network.
The ip address of Paul is 192.168.1.2
Few weeks ago our windows 2000 certificate server "Spoon" die, we
decided
to
rebuild the certificate server to windows 2003. The new certificate
server
is
now called "Mugen" and is configured as a stand-alone root CA member
server.
The purpose of this certificate server is to authenticate VPN
connection
to
our network and is operate together with our netscreen VPN / firewall.
15 days ago, our VPN / firewall failing to retrieve CRL from
certificate
server. Therefore VPN connections stop working.
Under extensive investigation, I have discovered we can only make our
VPN/firewll to automatically obtain CRL from the certificate server
"Mugen" ,
if we specific the old LDAP server IP address " corp." which is
192.168.1.1,
if I enter the ip address of Paul 192.168.1.2 to the VPN/ firewall
certificate settings, the automatic CRL retrieve will fail.
I have checked with the firewall support team. They said netscreen does
support windows 2003 Server. They suspect I have not configured our
certificate server correctly to work under "Paul" LDAP Server.
Questions:
Are there any configuration or security policy I need to configure to
allow
communication between LDAP "Paul" server and certificate server "
Mugen"?
I need to specific "Paul" as the LDAP server on the VPN setup instead
of
corp.
Server, please help
Thank you
Mr555
- References:
- Prev by Date: Re: Why my users can't change their home folder permissions while they ...
- Next by Date: There is error in "Open File - Security Warning" dialog
- Previous by thread: Re: failing to retrive CRL from certificate server using new LDAP
- Next by thread: Re: failing to retrive CRL from certificate server using new LDAP
- Index(es):
Relevant Pages
|
