Re: ADAM SP1 on Win2K3 SP1
- From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
- Date: Tue, 29 Aug 2006 09:36:04 +0100
Hi
as you noted if running ADAM on a DC you should be
using a standard doamin account not Network Service.
There are some notes on ADAM SSL configuration here:
http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en
In particular note that you must set appropriate permissions on *individual*
keys in Users\ApplicationData\Microsoft\Crypto\RSA\MachineKeys as
the keys in that folder do not inherit permissions.
Lee Flight
"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message
news:edYZ7XnyGHA.4104@xxxxxxxxxxxxxxxxxxxxxxx
Okay, the second mystery is solved. I didn't use dsdbutil to change ADAM
service account, that's why I'm getting some JET DB related error.
The first problem remains there.
Bo Zhu wrote:
Hi,
I have two questions related to ADAM running on a domain controller.
1. SSL connection with non-administrative acccount
I followed a pretty detailed step-by-step guide
(http://www.oftedal.no/~erlend/?blogid=7) on how to setup SSL certificate
with ADAM, like generating a server authentication certificate, place the
certificate in service account certificate store, granting read acccess
to private key files, etc. But after all confiugration steps were done, I
was only able to connect to my ADAM instance through SSL if ADAM is run
by an Administrative account. If I run ADAM service with "NT
Authority\Network Service", which is the default account selected during
ADAM instance creation, ldp.exe always fail to connect with the following
error message:
ld = ldap_sslinit("ffkillervm2k3.zb.encentuate.com", 50001, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ffkillervm2k3.zb.encentuate.com.
I found something in one ADAM FAQ from Microsoft that says I can use
"certutil -store my" command to see the file name of the private key
whose Read permission should be granted to the service account used to
run ADAM service. But all I got for the "Key Container" attribute after
running this command is the name of root CA certificate I generated
earlier. I even granted Read permission of "C:\Documents and Settings\All
Users\Application Data\Microsoft\Crypto\RSA\MachineKeys" folder and all
sub-folders to "NT Authority\Network Service" account and still SSL
connection fails.
2. Running ADAM service with a domain user account
ADAM Help states I should not run ADAM service with "NT AUTHORITY\NETWORK
SERVICE" account if the instance is running on a domain controller. So I
created a new domain user in my test AD and used that account to run
ADAM. I have also enabled "Log on as a service" and "Generate security
audits" for the new domain user account in Default Domain Contollers
Policy. Unfortunately I'm not able to start ADAM service with that new
domain user account.
A quick examination of Windows events shows one error:
Active Directory could not be initialized.
The directory service cannot recover from this error.
User Action
Restore the local directory service from backup media.
Additional Data
Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked or
in use
Any help is appreciated.
Best regards,
Bo Zhu
.
- Follow-Ups:
- Re: ADAM SP1 on Win2K3 SP1
- From: Bo Zhu
- Re: ADAM SP1 on Win2K3 SP1
- References:
- ADAM SP1 on Win2K3 SP1
- From: Bo Zhu
- Re: ADAM SP1 on Win2K3 SP1
- From: Bo Zhu
- ADAM SP1 on Win2K3 SP1
- Prev by Date: Re: who can make workstation to join domain?
- Next by Date: Re: How can I list all service principals in a Windows 2003 Active Directory?
- Previous by thread: Re: ADAM SP1 on Win2K3 SP1
- Next by thread: Re: ADAM SP1 on Win2K3 SP1
- Index(es):
Relevant Pages
|
Loading
