Re: Installing Enterprise CA broke existing LDAP SSL on the DC's

---

• From: "chriss3 [MVP]" <nospam_christoffer@xxxxxxxxxx>
• Date: Thu, 9 Mar 2006 17:46:31 +0100

---

Hello,
If you run certutil -dcinfo deleteBad it will drop all certs and request a
new one from your new enterprise CA.

--
Regards
Christoffer Andersson
Microsoft MVP - Directory Services
----------------------------------------------------------------
"cloudboy" <cloudboy@xxxxxxxxxxxxxxxxxxxxxxxxx> skrev i meddelandet
news:B370F975-7846-496F-988D-8A7C1E85E07F@xxxxxxxxxxxxxxxx

Prior to 2/24/2006, secure LDAP authentication to all of our domain
controllers worked properly. We use a separate commercial certificate on

each

domain controller.

On 2/24/2006, an Enterprise CA was created on a member server for the
purposes of Smart Card logon to the domain controllers by domain admins. A
new cert was therefore issued to each DC.

A new group policy was created and linked to the Domain Controllers OU

which

has the following setting "Interactive Logon: Smart Card Authentication
Required" enabled.

Each DC now has two certificates - one from the Enterprise CA (for smart
card logon) and one from Equifax (for secure LDAP).

Macintosh email clients (Entourage) who have Exchange mailboxes are
configured to use a secure LDAP connection to one of the DC's to perform
Global Address book lookups. Following the installation of the Enterprise

CA,

Macintosh users receive the following error when attempting to access the
Global Address List:

"Unable to establish a secure connection to host.domain_name because the
correct root certificate is not installed".

In troubleshooting this issue, I've used LDP.exe to connect to the domain
controllers via secure LDAP, and have been prompeted for a smart card.

Since

this is not an interactive logon, I did not expect this.

--
Thanks,

cloudboy

.

---

• Follow-Ups:
  • Re: Installing Enterprise CA broke existing LDAP SSL on the DC's
    • From: cloudboy

• Prev by Date: Manage Passwords is confusing me
• Next by Date: Adding USER in Adam
• Previous by thread: Manage Passwords is confusing me
• Next by thread: Re: Installing Enterprise CA broke existing LDAP SSL on the DC's
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: Enterprise vs Standalone CA ... > and read the necessary document and it looks like Enterprise is the way ... >> The enterprise CAs work closely with the AD. ... >> intervention for decisions of cert issuance, request ... It will issue only a handful of certs ... (microsoft.public.win2000.security) Re: Enterprise vs Standalone CA ... > A decision between Stand Alone and Enterprise CAs is not just based on one ... > The enterprise CAs work closely with the AD. ... > issue certs based on domain authentication (and thus usually only to domain ... > intervention for decisions of cert issuance, request ... (microsoft.public.win2000.security) Re: 2003/R2 certificate server questions ... certificates, but I also want to be able to issue random certificates ... Make sure you are running on Enterprise Edition, ... integrated certs in particular. ... I can also uninstall the sub CA, revoke the cert, and reissue new ... (microsoft.public.windows.server.security) Re: Enterprise vs Standalone CA ... I have tried installing both ways and the only difference that I was ... able to tell is the enterprise wouldn't let me say "manually approve ... standalone because I wanted to manually approve all certs. ... (microsoft.public.win2000.security) Re: How to install a new Enterprise Root Certificate Authority to replace an old one? ... > Enterprise Root CA to this new server (since apparently Enterprise CAs can't ... The biggest issue will be the need to redeploy all certs. ... CRL will no longer be available. ... and getting the replacement certificates deployed. ... (microsoft.public.windows.server.security)

---

• Windows
• Science
• Usenet

• Archive
• About
• Privacy
• Search
• Imprint

www.tech-archive.net  > Archive  > Windows  > microsoft.public.windows.server.active_directory  > 2006-03