Re: ADAM SSL

From: Dmitri Gavrilov [MSFT] (dmitrig_at_online.microsoft.com)
Date: 05/13/04 

Date: Thu, 13 May 2004 11:22:47 -0600

See my other post. Also, like Lee noted, private key files are protected
from inheritance, so you need to either force propagation or modify security
on the actual file. 

-- 
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
"CY" <anonymous@discussions.microsoft.com> wrote in message
news:4BC90032-EEAF-4414-BA56-454739659BE4@microsoft.com...
> I tried giving full control for Everyone on my test ADAM server but still
failed to connect.
>
> This is the test certificate I imported into the Trusted root CA store on
the client (a machine in the same domain).  adam.domain.local is my adam
server.  Do u think this is a certificate issuing problem or ADAM SSL
problem?
>
> ================ Certificate 4 ================
> Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
> Issuer: CN=adam.domain.local, DC=DOMAIN, DC=local
> Subject: CN=adam.domain.local, DC=DOMAIN, DC=local
> Certificate Template Name: CA
> CA Version: V0.0
> Signature matches Public Key
> Root Certificate: Subject matches Issuer
> Template: CA, Root Certification Authority
> Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
>   Key Container = adam.domain.local
>   Provider = Microsoft Strong Cryptographic Provider
> Signature test passed
>
>
>
>      ----- Dmitri Gavrilov [MSFT] wrote: -----
>
>      AD (lsass) and ADAM (dsamain) run under different service accounts
usually.
>      You must make sure ADAM's service account has read access to the
private key
>      corresponding to the cert. It is stored in a file in c:\documents and
>      settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
folder.
>
>      -- 
>      Dmitri Gavrilov
>      SDE, Active Directory Core
>
>      This posting is provided "AS IS" with no warranties, and confers no
rights.
>      Use of included script samples are subject to the terms specified at
>      http://www.microsoft.com/info/cpyright.htm
>
>      "CY" <cyli28@hotmail.com> wrote in message
>      news:#SU6E1wNEHA.3348@TK2MSFTNGP09.phx.gbl...
>      > Yes I have done that, gave full control to network service and
>      administrator
>      > accounts.  Stilll cannot figure out why I can connect to port 636
(which
>      > means no problem with the certificate right?) but not to 50001.
>      >> "Lee Flight" <lef@le.ac.uk-nospam> wrote in message
>      > news:u66SO8mNEHA.3712@TK2MSFTNGP10.phx.gbl...
>      >> Have you checked the "start_here.htm" file that ships with ADAM in
the
>      >> section on "Using SSL certificates with ADAM" it explains that
>      permission
>      >> is required on the on-disk certificate store for the account
running the
>      >> ADAM
>      >> instance (service).
>      >>>> Bear in mind the usual reservation over how wise it is to use a
Domain
>      >> Controller
>      >> for running other services  (ADAM in this case).
>      >>>> -- 
>      >> Lee Flight
>      >>>> "CY" <cyli28@hotmail.com> wrote in message
>      >> news:u%23jUw5jNEHA.3476@TK2MSFTNGP09.phx.gbl...
>      >>> Hi,
>      >>> I am trying to connect to my ADAM instance running on a domain
>      > controller
>      >>> (ssl port 50001) using SSL.  I have installed the certificate
into
>      local
>      >>> computer cert store.  I can connect to default SSL port 636 at
>      localhost
>      >> but
>      >>> cannot connect to my instance's SSL port at 50001, see error
below.  I
>      >> have
>      >>> checked that port 50001 is listening.  How do i connect to the
>      > instance's
>      >>> SSL port?
>      >>>>>> ld = ldap_sslinit("localhost", 50001, 1);
>      >>> Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
>      >>> LDAP_VERSION3);
>      >>> Error <0x51> = ldap_connect(hLdap, NULL);
>      >>> Server error: <empty>>>> Error <0x51>: Fail to connect to
localhost.
>      >>>>>>>>> Thanks
>      >>> CY
>      >>>>>>>>>>>>

Relevant Pages

  • Re: ADAM SP1 on Win2K3 SP1
    ... The SSL server credential's certificate does not have a private key information property attached to it. ... My general cryptography knowledge tells me only the account used to request an SSL certificate should have a private key attached to it. ... Of course I also copied that new certificate to ADAM instance personal certificate store, granted domain user account full control to every file in MachineKeys folder and restarted ADAM instance. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SSL
    ... As you suggested, the certificate we were ... using did *not* have a valid private key. ... Where "CertSerialNumber" is the serial number of the imported ADAM SSL ... Certificates MMC snap-in) from the Local Computer personal store to the ADAM ...
    (microsoft.public.windows.server.active_directory)
  • Re: Installing multiple certificates on ADAM
    ... I would say that you could only have one certificate for an ADAM ... If you need to modify the SSL port in use you can use ... > a IP/port pair, ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SSL
    ... Have you checked the "start_here.htm" file that ships with ADAM in the ... > (ssl port 50001) using SSL. ... I have installed the certificate into local ... I can connect to default SSL port 636 at localhost ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM SP1 on Win2K3 SP1
    ... key for the ADAM service account. ... The SSL server credential's certificate does not have a private key ... My general cryptography knowledge tells me only the account used to ...
    (microsoft.public.windows.server.active_directory)
Loading