Re: Problems during set up....

• Previous message: Ace Fekay [MVP]: "Re: Rebuild Policies"
• In reply to: Johnny: "Problems during set up...."
• Messages sorted by: [ date ] [ thread ]

Date: Sat, 28 Aug 2004 00:26:39 -0400

In news:25F68E4C-9302-47E2-9F37-8C58507A3592@microsoft.com,
Johnny <Johnny@discussions.microsoft.com> made a post then I commented below
> Hi,
>
> I set up an active directory server on windows 2000 and tested it
> using ldp.exe on port 389. This works fine. I am currently working
> on an LDAP client that requires ssl so I installed an Enterprise root
> CA after reading Microsoft knowledge base article 247078. This
> failed when I tried to use ldp on port 636, I get a "cannot open
> connection" error. I wasn't sure why so I next tried to connect
> using openssl to see if the ssl client was working. This is the
> error(s) I got:
>
> ...
> verify error:num=26:unsupported certificate purpose
> ...
> SSL_connect:SSLv3 read server certificate A
> SSL_connect:SSLv3 read server certificate request A
> SSL_connect:SSLv3 read server done A
> SSL_connect:SSLv3 write client certificate A
> SSL_connect:SSLv3 write client key exchange A
> SSL_connect:SSLv3 write change cipher spec A
> SSL_connect:SSLv3 write finished A
> SSL_connect:SSLv3 flush data
> SSL_connect:failed in SSLv3 read finished A
> 14883:error:140790E5:SSL routines:SSL23_WRITE:ssl handshake
> failure:s23_lib.c:226:
>
> I thought maybe since it was a new CA that maybe I had to create a new
> certificate (using //$root/certsrv)and place that in the directory I
> needed it to be in. Instead I get an error:
>
> Request Mode:
> newreq - New Request
> Disposition:
> FFFFFFFF - (unknown)
> Disposition message:
> (none)
> Result:
> The binding handle is invalid. 0x800706a6 (WIN32: 1702)
> COM Error Info:
> CCertRequest::Submit The binding handle is invalid. 0x800706a6
> (WIN32: 1702) LastStatus:
> The operation completed successfully. 0x0 (0)
> Suggested Cause:
> No suggestions.
>
> Greatest part about that...."No suggestions." I checked the event
> viewer to see if I could see any problems. no errors/warnings
> regarding LDAP or CA but there is one for DHCPServer: The DHCP/BINL
> service has determined that it is not authorized to service clients
> on this network for the Windows domain.
>
> So here I am, Looking for any and all suggestions to try and get this
> working. It could be many problems or maybe just a small one I have
> no idea. I recently graduated school and never learned about any of
> this stuff so it is new to me. Any help would be greatly appreciated.
>
> banging my head against my cubicle wall...
> -Johnny

I haven't implemented this yet, but did find quite a bit out there on it.
Not sure if you searched for it, unless someone else responds more
specifically (and would probably need to know more specifics on how exactly
you implemented your CA, etc), I'm providing the search string URL I used.
There are quite a few results on how to implement and troubleshoot this:

http://search.microsoft.com/search/results.aspx?View=en-us&p=2&s=1&c=10&st=b&qu=secure+ldap&na=31&cm=512

As far as DHCP, just authorize that in AD (from within the DCHP console).

-- 
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Security Is Like An Onion, It Has Layers
HAM AND EGGS: A day's work for a chicken;
A lifetime commitment for a pig.
-- 
=================================

• Previous message: Ace Fekay [MVP]: "Re: Rebuild Policies"
• In reply to: Johnny: "Problems during set up...."
• Messages sorted by: [ date ] [ thread ]