Re: Setting passwords in ADAM

Ok, I seem to be able to get adam ssl to work now and have done it a couple
of times. I was going from another example before and using iis to issue a
request file, then the certsrv page to request the certificate via base64
encoded file instead of just using the Create and submit a request to this CA.

I really appreciate all the great help - I think I can make this work now!


"Lee Flight" wrote:

> Hi
>
> the things I have used are Windows Enterprise Certificate services and a
> self-certified cert (using the selfSSL tool).
>
> I did write up some notes on using a Windows Root Certificate Authority
> which sounds like what you are attempting. Notes are here:
>
> http://groups.google.co.uk/group/microsoft.public.adsi.general/msg/08089a993d5d0c34?hl=en&;
>
> Lee Flight
>
> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> news:A5B8721A-6843-4401-9C1D-89EA18339FD0@xxxxxxxxxxxxxxxx
> > Ok, I now have it working for the most part. Seems to be how I am
> > generating
> > the cert. It's all very confusing - I installed certificate services,
> > then
> > submitted a request for the default web services, then went to the certsrv
> > web page to request a cert. Had to then use the snapin to issue the cert,
> > then back to the web page to review pending certs and download. Suddenly
> > it
> > started working - I'll go through the whole process again tomorrow to see
> > if
> > I can repeat. Is there a good doc on creating a cert - I've looked at
> > several, but there always seems to be a step that is left out or doesn't
> > work.
> >
> >
> > "Norm" wrote:
> >
> >> I'm in a class this week, so I'll check the cert when I get back tonight.
> >> I
> >> tried giving 'everyone' full control, and that didn't work, so maybe
> >> something with the name on the cert.
> >>
> >> "Lee Flight" wrote:
> >>
> >> > Hi
> >> >
> >> > yes it's the key in that folder that needs the permissions set;
> >> > note that it has to be permissions on the key as the
> >> > keys do not inherit perms from the folder.
> >> >
> >> > How did you issue the cert?
> >> > What name is the cert "Issued To"?
> >> >
> >> > Thanks
> >> > Lee Flight
> >> >
> >> > "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > news:0A841DEE-D70A-4649-85C9-4DDBE7C4C8B4@xxxxxxxxxxxxxxxx
> >> > >I checked the registry, and it was already set to 1. I set it to 7
> >> > >and
> >> > >still
> >> > > see the same error in the event log:
> >> > >
> >> > > LDAP over Secure Sockets Layer (SSL) will be unavailable at this
> >> > > time
> >> > > because the server was unable to obtain a certificate.
> >> > >
> >> > > Additional Data
> >> > > Error value:
> >> > > 8009030e No credentials are available in the security package
> >> > >
> >> > > I checked the security on the key and even gave "everyone" full
> >> > > control -
> >> > > same error.
> >> > > This is the key in documents and settings\all users\aplication
> >> > > data\microsoft\crypto\rsa\machinekeys\ ?
> >> > >
> >> > >
> >> > > "Lee Flight" wrote:
> >> > >
> >> > >> Hi
> >> > >>
> >> > >> ldapmodify makes sense as the KB269190 indicates and the
> >> > >> ds behvior setting explain the ability to do this outside SSL.
> >> > >>
> >> > >> On getting the certificate to work, it looks like ADAM is not
> >> > >> finding
> >> > >> your cert which can be an issue with permissions on the key or
> >> > >> a shortcoming in the cert. Did you the set permissions on the
> >> > >> key as per the notes?
> >> > >>
> >> > >> Bumping the diagnostics on Schannel
> >> > >> will likely give more information:
> >> > >>
> >> > >> http://support.microsoft.com/?id=260729
> >> > >>
> >> > >> set it to 0x7 and then (1) restart the ADAM instance service and
> >> > >> (2) attempt the SSL connection and see what Schannel logs in the
> >> > >> system event log.
> >> > >>
> >> > >> Beyond that we will need to know how you created/obtained the
> >> > >> cert...
> >> > >>
> >> > >> Something else to think about is how the secure channel requirement
> >> > >> for password operations got disabled in the first instance. The
> >> > >> reason
> >> > >> for asking that is once you get ADAM to use the cert you will then
> >> > >> have to make sure that your (Perl) client trusts the cert which
> >> > >> will mean needing to know how the client cert store is used by
> >> > >> your perl modules.
> >> > >>
> >> > >> Lee Flight
> >> > >>
> >> > >> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > >> news:49112B7B-AE40-4B95-9A7C-2ABF10CA85CB@xxxxxxxxxxxxxxxx
> >> > >> > When I look in the event log I see the following error:
> >> > >> > LDAP over Secure Sockets Layer (SSL) will be unavailable at this
> >> > >> > time
> >> > >> > because the server was unable to obtain a certificate.
> >> > >> >
> >> > >> > Additional Data
> >> > >> > Error value:
> >> > >> > 8009030e No credentials are available in the security package
> >> > >> >
> >> > >> > I found an article talking about that error code, but it has to do
> >> > >> > with
> >> > >> > a
> >> > >> > biztalkserver...
> >> > >> >
> >> > >> > "Lee Flight" wrote:
> >> > >> >
> >> > >> >> Hi
> >> > >> >>
> >> > >> >> it is possible to disable the secure channel requirement for
> >> > >> >> password
> >> > >> >> operations see:
> >> > >> >>
> >> > >> >> Allowing the setting of passwords over a non-SSL connection
> >> > >> >>
> >> > >> >> in the start_here.htm in the directory where you unpacked ADAM to
> >> > >> >> check what setting you have.
> >> > >> >>
> >> > >> >> Does the ldapmodify command line indicate what security is
> >> > >> >> being used?
> >> > >> >>
> >> > >> >> Some notes on setting up SSL are here:
> >> > >> >>
> >> > >> >> http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en
> >> > >> >>
> >> > >> >> Lee Flight
> >> > >> >>
> >> > >> >>
> >> > >> >> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > >> >> news:BC293ED7-2DCB-4AA6-8E0A-CE8751CBAD67@xxxxxxxxxxxxxxxx
> >> > >> >> > We are NOT using a secure connection, yet it seems to set the
> >> > >> >> > password
> >> > >> >> > without any errors. We have another web based tool that goes
> >> > >> >> > against
> >> > >> >> > another
> >> > >> >> > adam instance and it is able to set passwords as well, though
> >> > >> >> > it is
> >> > >> >> > using
> >> > >> >> > ldapmodify. Very strange indeed. I am trying to set up ssl
> >> > >> >> > for
> >> > >> >> > adam,
> >> > >> >> > but
> >> > >> >> > as
> >> > >> >> > of yet I have had no luck. I created a certificate and it
> >> > >> >> > seems to
> >> > >> >> > work
> >> > >> >> > for
> >> > >> >> > IIS, but adam keeps saying that it can't find a certificate in
> >> > >> >> > the
> >> > >> >> > event
> >> > >> >> > logs. I loaded the certificates snapin for the adam instance
> >> > >> >> > and
> >> > >> >> > can
> >> > >> >> > see
> >> > >> >> > the
> >> > >> >> > certificates in the Trusted Root Certification Authorities and
> >> > >> >> > the
> >> > >> >> > Intermediate Certification Authorites, but I don't know how to
> >> > >> >> > put
> >> > >> >> > it
> >> > >> >> > into
> >> > >> >> > the Instance_Name\Personal area - if it needs to be there also.
> >> > >> >> >
> >> > >> >> > "Lee Flight" wrote:
> >> > >> >> >
> >> > >> >> >> Hi
> >> > >> >> >>
> >> > >> >> >> if you are using the unicodePwd attribute it needs to be a
> >> > >> >> >> quoted
> >> > >> >> >> Unicode
> >> > >> >> >> string:
> >> > >> >> >>
> >> > >> >> >> http://support.microsoft.com/?kbid=269190
> >> > >> >> >>
> >> > >> >> >> http://search.cpan.org/~gbarr/perl-ldap/lib/Net/LDAP/FAQ.pod#..._in_MS_Active_Directory_?
> >> > >> >> >>
> >> > >> >> >> the userPassword attribute is a write alias for unicodePwd
> >> > >> >> >> and only needs to be in UTF-8
> >> > >> >> >>
> >> > >> >> >> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/adschema/adschema/a_userpassword.asp
> >> > >> >> >>
> >> > >> >> >> but I'm not sure if that works from perl.
> >> > >> >> >>
> >> > >> >> >> Also password operations have to take place over a secure
> >> > >> >> >> channel
> >> > >> >> >> (probably ldaps from perl).
> >> > >> >> >>
> >> > >> >> >> Something else to bear in mind is that if you create a user
> >> > >> >> >> without
> >> > >> >> >> setting a password that satisifies the password policy then
> >> > >> >> >> the
> >> > >> >> >> account
> >> > >> >> >> will be created as disabled
> >> > >> >> >> msDS-UserAccountDisabled TRUE
> >> > >> >> >>
> >> > >> >> >>
> >> > >> >> >> Lee Flight
> >> > >> >> >>
> >> > >> >> >> "Norm" <Norm@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
> >> > >> >> >> news:475AC432-F428-4A86-B6D0-4394F2E8999A@xxxxxxxxxxxxxxxx
> >> > >> >> >> > We are trying to set passwords in ADAM with a net::ldap perl
> >> > >> >> >> > script -
> >> > >> >> >> > we're
> >> > >> >> >> > moving from a different directory to ADAM. Afterwards I get
> >> > >> >> >> > invalid
> >> > >> >> >> > credentials when trying to do an ldapsearch using my DN and
> >> > >> >> >> > password.
> >> > >> >> >> > I
> >> > >> >> >> > assume this is because the perl function is writing the
> >> > >> >> >> > password
> >> > >> >> >> > directly
> >> > >> >> >> > to
> >> > >> >> >> > the attribute and ADAM thinks that it is a hashed value
> >> > >> >> >> > during
> >> > >> >> >> > later
> >> > >> >> >> > operations? If I go in and set the password via adsiedit,
> >> > >> >> >> > the
> >> > >> >> >> > ldapsearch
> >> > >> >> >> > then works. If we should be writing a hashed value, what
> >> > >> >> >> > encryption
> >> > >> >> >> > does
> >> > >> >> >> > ADAM employ?
> >> > >> >> >> >
> >> > >> >> >> > Thanks, Norm.
> >> > >> >> >> >
> >> > >> >> >>
> >> > >> >> >>
> >> > >> >> >>
> >> > >> >>
> >> > >> >>
> >> > >> >>
> >> > >>
> >> > >>
> >> > >>
> >> >
> >> >
> >> >
>
>
>
.

Relevant Pages

  • Re: Unable to install Godaddy cert on SBS R2 Standard box
    ... I recently bought a ten year Turbo SSL cert, but I want to rebuild my server ... "Please create a new request,and request for a new certificate from ... Godaddy(issue a new certificate),then install the new certificate. ...
    (microsoft.public.windows.server.sbs)
  • Re: Computer and User Certificates Issues
    ... > Enrollment of User Certificates using the custom v2 User Certificate Template ... > request the new custom v2 User Cert that supports auto-enrollment as well as ... > the included version 1 no autoenrollment User Cert manually through the MMC. ... > Custom Computer Cert Security Permissions: ...
    (microsoft.public.security)
  • Re: Wireless Radius Clients
    ... It uses the computer cert ... router and not a AP however it does have the Radius selection under ... Access request for user stevef@xxxxxxxxxxxxx was discarded. ... = The request was discarded by a third-party extension DLL file. ...
    (microsoft.public.windows.server.networking)
  • Re: Wireless Radius Clients
    ... It uses the computer cert ... router and not a AP however it does have the Radius selection under ... Access request for user stevef@xxxxxxxxxxxxx was discarded. ... Windows with L2TP/IPSec will support ...
    (microsoft.public.windows.server.networking)
  • Re: User certificate question (no AD installed)
    ... > We are able to use the VPN with computer certificates without problems, ... When opening the page to request a certificate, ... web browser cert, e-mail cert and adv cert request. ... environments involves AD and ISA server. ...
    (microsoft.public.win2000.networking)