Problem with enabling LDAP over SSL with a third-party Certification Authority
From: Perplexed (anonymous_at_discussions.microsoft.com)
Date: 09/27/04
- Next message: David Reed: "Re: Can't join Win2k Pro Client to Domain after SUS Update"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: Can't join Win2k Pro Client to Domain after SUS Update"
- Messages sorted by: [ date ] [ thread ]
Date: Mon, 27 Sep 2004 08:51:55 -0700
My setup is a single forest with a root and sub domain. A
single DC in each. I have a windows 2000 server in a
workgroup that is running a Stand-Alone Root CA. I have
been
using "http://www.microsoft.com/technet/prodtechnol/windows
server2003/technologies/security/advcert.mspx?pf=true" and
everything seems ok until I try to do a certutil.exe -f -
dspublish. Below is the error I rx (I removed some stuff
but I assure you I am not using xxx and xxx.)
C:\Certs>c:\certs\certutil.exe -f -dspublish rootdc.cer
machine
CN=ROOTDC,OU=Domain Controllers,DC=root,DC=xxx,DC=xxx?
userCertificate
ldap: 0x13: 0000207C: AtrErr: DSID-0319060F, #1:
0: 0000207C: DSID-0319060F, problem 1005
(CONSTRAINT_ATT_TYPE), data 0,
Att 900dd (sAMAccountName)
CertUtil: -dsPublish command FAILED: 0x8007207c (WIN32:
8316)
CertUtil: A required attribute is missing.
--------------------
Also some other info that might help. Once I created the
root CA I loaded that Cert into the Domain's GPO as a
trusted root. I double click on the cert I generate and
it says it is trusted. I just can't seem to get the darn
thing to load into AD.
Below is a dump of the .req file (some info has been
modified)
C:\Certs>c:\certs\certutil.exe -dump rootdc.req
PKCS10 Certificate Request:
Version: 1
Subject:
CN=ROOTDC.root.xxx.xxx
Public Key Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.1 RSA
Algorithm Parameters:
05 00
Public Key Length: 1024 bits
Public Key: UnusedBits = 0
0000 30 81 89 02 81 81 00 b7 ef 6b 64 12 d6 5e 76 43
0010 4f a5 19 21 10 32 b9 81 f8 ee ef 8e 31 4a 29 3a
0020 23 a3 4c 83 65 de 33 95 0d a5 af d1 ea 8f d4 25
0030 9b 81 ac 70 de 43 a7 2a 53 fb a8 8b 7e 08 6e 67
0040 67 5d e8 69 bc ea fc c8 04 65 23 62 c8 21 68 c1
0050 f0 b7 cc 00 c7 f5 f4 dd 92 1c d2 08 b0 11 d9 d1
0060 a9 eb 43 32 7b 52 bb 32 94 9e 35 d6 dd 87 ee 07
0070 db 83 c7 90 bb 2d 7c 3b f7 bb 7e 6f aa 9a 64 46
0080 99 19 3d f0 d6 6d c9 02 03 01 00 01
Request Attributes: 4
4 attributes:
Attribute[0]: 1.3.6.1.4.1.311.13.2.3 (OS Version)
Value[0][0]:
5.0.2195.2
Attribute[1]: 1.3.6.1.4.1.311.21.20 (Client Information)
Value[1][0]:
Unknown Attribute type
Client Id: = 1
XECI_XENROLL -- 1
User: ROOT\rootadmin
Machine: rootdc.root.xxx.xxx
Process: CERTREQ
Attribute[2]: 1.2.840.113549.1.9.14 (Certificate
Extensions)
Value[2][0]:
Unknown Attribute type
Certificate Extensions: 4
2.5.29.14: Flags = 0, Length = 16
Subject Key Identifier
18 45 40 c2 49 fc 05 d4 72 48 4a 42 4c e8 a5 62 ed
5c ed 96
2.5.29.17: Flags = 1(Critical), Length = 3b
Subject Alternative Name
DNS Name=rootdc.root.xxx.xxx
Other Name:
1.3.6.1.4.1.311.25.1=04 10 21 17 8a 4a c2 fd
f3 42 bf d7 7a f3 41
9 a1 a7
2.5.29.37: Flags = 0, Length = 16
Enhanced Key Usage
Server Authentication(1.3.6.1.5.5.7.3.1)
Client Authentication(1.3.6.1.5.5.7.3.2)
2.5.29.15: Flags = 0, Length = 4
Key Usage
Digital Signature, Key Encipherment(a0)
Attribute[3]: 1.3.6.1.4.1.311.13.2.2 (Enrollment CSP)
Value[3][0]:
Unknown Attribute type
CSP Provider Info
KeySpec = 1
Provider = Microsoft RSA SChannel Cryptographic
Provider
Signature: UnusedBits=0
0000 50 bf 51 b6 bc 35 9c f6 f9 62 ce ad 93 c3 7e 47
0010 f0 01 37 f2 84 0b ef a1 e0 3f 0c 8a c3 1a 81 c0
0020 af 7b 4e d7 11 c9 60 bc b1 82 99 0a c0 77 13 5c
0030 fe 07 02 e6 7b c3 52 86 9c 88 b9 48 e1 d2 00 71
0040 98 7f 7b 0e 23 84 da 8c ee 61 44 78 60 8d d3 a4
0050 f1 d9 48 60 66 d5 97 5c 8a 86 68 98 a1 59 ae 4a
0060 72 24 2f 23 01 7d 36 1b 70 dd c8 a2 d7 24 10 47
0070 c3 3e 8a c7 86 c6 07 3e 4a ae 7a 4c 73 ca f1 1c
0080 00 00 00 00 00 00 00 00
Signature Algorithm:
Algorithm ObjectId: 1.2.840.113549.1.1.5 sha1RSA
Algorithm Parameters:
05 00
Signature: UnusedBits=0
0000 3b 01 71 af 22 c6 4e 74 0c a5 61 02 c7 c6 5c 9e
0010 a5 d2 e6 81 98 82 5f 06 84 17 d0 8e 11 13 32 50
0020 06 19 13 75 13 7e 72 3e 7e 4b aa 38 d0 23 80 8d
0030 12 ea c9 54 ba bf 62 e2 c1 49 10 4b 67 de 8d 7e
0040 b3 c2 f5 ab 0f 4d 80 ce ef 05 b2 8f 1e 5c 13 ea
0050 bd 3e 2d 27 d4 0a 44 a4 98 73 51 21 f3 76 15 90
0060 b4 ae eb 08 80 2a 47 45 f7 00 28 59 c6 30 a4 38
0070 47 95 47 f6 c5 25 26 b9 5b 13 f9 d8 73 9e 0b 41
Signature matches Public Key
Key Id Hash(sha1): 18 45 40 c2 49 fc 05 d4 72 48 4a 42 4c
e8 a5 62 ed 5c ed 96
CertUtil: -dump command completed successfully.
- Next message: David Reed: "Re: Can't join Win2k Pro Client to Domain after SUS Update"
- Previous message: Kevin D. Goodknecht Sr. [MVP]: "Re: Can't join Win2k Pro Client to Domain after SUS Update"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
