Re: Setting passwords in ADAM
- From: "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 29 Aug 2005 08:10:02 -0700
I'm in a class this week, so I'll check the cert when I get back tonight. I
tried giving 'everyone' full control, and that didn't work, so maybe
something with the name on the cert.
"Lee Flight" wrote:
> Hi
>
> yes it's the key in that folder that needs the permissions set;
> note that it has to be permissions on the key as the
> keys do not inherit perms from the folder.
>
> How did you issue the cert?
> What name is the cert "Issued To"?
>
> Thanks
> Lee Flight
>
> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:0A841DEE-D70A-4649-85C9-4DDBE7C4C8B4@xxxxxxxxxxxxxxxx
> >I checked the registry, and it was already set to 1. I set it to 7 and
> >still
> > see the same error in the event log:
> >
> > LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
> > because the server was unable to obtain a certificate.
> >
> > Additional Data
> > Error value:
> > 8009030e No credentials are available in the security package
> >
> > I checked the security on the key and even gave "everyone" full control -
> > same error.
> > This is the key in documents and settings\all users\aplication
> > data\microsoft\crypto\rsa\machinekeys\ ?
> >
> >
> > "Lee Flight" wrote:
> >
> >> Hi
> >>
> >> ldapmodify makes sense as the KB269190 indicates and the
> >> ds behvior setting explain the ability to do this outside SSL.
> >>
> >> On getting the certificate to work, it looks like ADAM is not finding
> >> your cert which can be an issue with permissions on the key or
> >> a shortcoming in the cert. Did you the set permissions on the
> >> key as per the notes?
> >>
> >> Bumping the diagnostics on Schannel
> >> will likely give more information:
> >>
> >> http://support.microsoft.com/?id=260729
> >>
> >> set it to 0x7 and then (1) restart the ADAM instance service and
> >> (2) attempt the SSL connection and see what Schannel logs in the
> >> system event log.
> >>
> >> Beyond that we will need to know how you created/obtained the
> >> cert...
> >>
> >> Something else to think about is how the secure channel requirement
> >> for password operations got disabled in the first instance. The reason
> >> for asking that is once you get ADAM to use the cert you will then
> >> have to make sure that your (Perl) client trusts the cert which
> >> will mean needing to know how the client cert store is used by
> >> your perl modules.
> >>
> >> Lee Flight
> >>
> >> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> news:49112B7B-AE40-4B95-9A7C-2ABF10CA85CB@xxxxxxxxxxxxxxxx
> >> > When I look in the event log I see the following error:
> >> > LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
> >> > because the server was unable to obtain a certificate.
> >> >
> >> > Additional Data
> >> > Error value:
> >> > 8009030e No credentials are available in the security package
> >> >
> >> > I found an article talking about that error code, but it has to do with
> >> > a
> >> > biztalkserver...
> >> >
> >> > "Lee Flight" wrote:
> >> >
> >> >> Hi
> >> >>
> >> >> it is possible to disable the secure channel requirement for password
> >> >> operations see:
> >> >>
> >> >> Allowing the setting of passwords over a non-SSL connection
> >> >>
> >> >> in the start_here.htm in the directory where you unpacked ADAM to
> >> >> check what setting you have.
> >> >>
> >> >> Does the ldapmodify command line indicate what security is
> >> >> being used?
> >> >>
> >> >> Some notes on setting up SSL are here:
> >> >>
> >> >> http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en
> >> >>
> >> >> Lee Flight
> >> >>
> >> >>
> >> >> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> news:BC293ED7-2DCB-4AA6-8E0A-CE8751CBAD67@xxxxxxxxxxxxxxxx
> >> >> > We are NOT using a secure connection, yet it seems to set the
> >> >> > password
> >> >> > without any errors. We have another web based tool that goes
> >> >> > against
> >> >> > another
> >> >> > adam instance and it is able to set passwords as well, though it is
> >> >> > using
> >> >> > ldapmodify. Very strange indeed. I am trying to set up ssl for
> >> >> > adam,
> >> >> > but
> >> >> > as
> >> >> > of yet I have had no luck. I created a certificate and it seems to
> >> >> > work
> >> >> > for
> >> >> > IIS, but adam keeps saying that it can't find a certificate in the
> >> >> > event
> >> >> > logs. I loaded the certificates snapin for the adam instance and
> >> >> > can
> >> >> > see
> >> >> > the
> >> >> > certificates in the Trusted Root Certification Authorities and the
> >> >> > Intermediate Certification Authorites, but I don't know how to put
> >> >> > it
> >> >> > into
> >> >> > the Instance_Name\Personal area - if it needs to be there also.
> >> >> >
> >> >> > "Lee Flight" wrote:
> >> >> >
> >> >> >> Hi
> >> >> >>
> >> >> >> if you are using the unicodePwd attribute it needs to be a quoted
> >> >> >> Unicode
> >> >> >> string:
> >> >> >>
> >> >> >> http://support.microsoft.com/?kbid=269190
> >> >> >>
> >> >> >> http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod#..._in_MS_Active_Directory_?
> >> >> >>
> >> >> >> the userPassword attribute is a write alias for unicodePwd
> >> >> >> and only needs to be in UTF-8
> >> >> >>
> >> >> >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_userpassword.asp
> >> >> >>
> >> >> >> but I'm not sure if that works from perl.
> >> >> >>
> >> >> >> Also password operations have to take place over a secure channel
> >> >> >> (probably ldaps from perl).
> >> >> >>
> >> >> >> Something else to bear in mind is that if you create a user without
> >> >> >> setting a password that satisifies the password policy then the
> >> >> >> account
> >> >> >> will be created as disabled
> >> >> >> msDS-UserAccountDisabled TRUE
> >> >> >>
> >> >> >>
> >> >> >> Lee Flight
> >> >> >>
> >> >> >> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> >> >> news:475AC432-F428-4A86-B6D0-4394F2E8999A@xxxxxxxxxxxxxxxx
> >> >> >> > We are trying to set passwords in ADAM with a net::ldap perl
> >> >> >> > script -
> >> >> >> > we're
> >> >> >> > moving from a different directory to ADAM. Afterwards I get
> >> >> >> > invalid
> >> >> >> > credentials when trying to do an ldapsearch using my DN and
> >> >> >> > password.
> >> >> >> > I
> >> >> >> > assume this is because the perl function is writing the password
> >> >> >> > directly
> >> >> >> > to
> >> >> >> > the attribute and ADAM thinks that it is a hashed value during
> >> >> >> > later
> >> >> >> > operations? If I go in and set the password via adsiedit, the
> >> >> >> > ldapsearch
> >> >> >> > then works. If we should be writing a hashed value, what
> >> >> >> > encryption
> >> >> >> > does
> >> >> >> > ADAM employ?
> >> >> >> >
> >> >> >> > Thanks, Norm.
> >> >> >> >
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>
.
- Follow-Ups:
- Re: Setting passwords in ADAM
- From: Norm
- Re: Setting passwords in ADAM
- References:
- Setting passwords in ADAM
- From: Norm
- Re: Setting passwords in ADAM
- From: Lee Flight
- Re: Setting passwords in ADAM
- From: Norm
- Re: Setting passwords in ADAM
- From: Lee Flight
- Re: Setting passwords in ADAM
- From: Norm
- Re: Setting passwords in ADAM
- From: Lee Flight
- Re: Setting passwords in ADAM
- From: Norm
- Re: Setting passwords in ADAM
- From: Lee Flight
- Setting passwords in ADAM
- Prev by Date: Re: Domain Users Disjoining
- Next by Date: Trying To Enable Object Auditing But...
- Previous by thread: Re: Setting passwords in ADAM
- Next by thread: Re: Setting passwords in ADAM
- Index(es):
Relevant Pages
|
