Re: ADAM SP1 on Win2K3 SP1
- From: "Lee Flight" <lef@xxxxxxxxxxxxxxx>
- Date: Fri, 1 Sep 2006 13:12:32 +0100
Hi
is that the message from the schannel provider or from the
ADAM Instance event log? It's the Schannel message that's
of most interest and if that is it then the certificate is not being
found.
If you have matched all the requirements FQDN of the cert
matches the ADAM server name, cert appropriate to server auth etc.,
as in the notes I linked to then you could try moving the cert into
the cert store of the ADAM Instance service from its current location
(probably the Computer cert store in your case?).
Lee Flight
"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message
news:OpUyowazGHA.744@xxxxxxxxxxxxxxxxxxxxxxx
The log message I got from Windows Event Log is:
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Additional Data
Error value:
8009030e No credentials are available in the security package
I did a search on Google and didn't find anything particularly useful.
-zhubo
Lee Flight wrote:
Hi
did you restart the ADAM sevice after you added the read permission
for the key?
If it still fails after a restart then try bumping the debugging level of
the Schannel provider
http://support.microsoft.com/?id=260729
set it to 0x7 and then (1) restart the ADAM instance service and
(2) attempt the SSL connection and see what Schannel logs in the
system event log.
On the general question, add the permissions to the key and
then change the account with dsdbutil and then restart the service
should be OK.
Lee Flight
"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message
news:eZwDwRPzGHA.3568@xxxxxxxxxxxxxxxxxxxxxxx
The problem remains after I granted Read permission of every file in
MachineKeys folder to the domain user. ldp.exe still fails with the same
error code 0x51 Server Down, which doesn't make any sense.
Now I have a general question. Assuming SSL on ADAM is working fine and i
want to use antoher domain user account as the ADAM service account. Do i
only need to grant that account READ permission to machine keys and use
dsdbutil to change the ADAM service account? Or I have to go through the
entire process starting from requesting certificate all over again to use
the new domain user account as the ADAM service account?
Previously what I did was that I went through the entire SSL setup
process while logged on as a domain admin, and subsequently picked a
normal domain user account to run ADAM.
Lee Flight wrote:
Hi
as you noted if running ADAM on a DC you should be
using a standard doamin account not Network Service.
There are some notes on ADAM SSL configuration here:
http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en
In particular note that you must set appropriate permissions on
*individual*
keys in Users\ApplicationData\Microsoft\Crypto\RSA\MachineKeys as
the keys in that folder do not inherit permissions.
Lee Flight
"Bo Zhu" <ffkiller@xxxxxxxxxxxxxxxxx> wrote in message
news:edYZ7XnyGHA.4104@xxxxxxxxxxxxxxxxxxxxxxx
Okay, the second mystery is solved. I didn't use dsdbutil to change
ADAM service account, that's why I'm getting some JET DB related error.
The first problem remains there.
Bo Zhu wrote:
Hi,
I have two questions related to ADAM running on a domain controller.
1. SSL connection with non-administrative acccount
I followed a pretty detailed step-by-step guide
(http://www.oftedal.no/~erlend/?blogid=7) on how to setup SSL
certificate with ADAM, like generating a server authentication
certificate, place the certificate in service account certificate
store, granting read acccess to private key files, etc. But after all
confiugration steps were done, I was only able to connect to my ADAM
instance through SSL if ADAM is run by an Administrative account. If I
run ADAM service with "NT Authority\Network Service", which is the
default account selected during ADAM instance creation, ldp.exe always
fail to connect with the following error message:
ld = ldap_sslinit("ffkillervm2k3.zb.encentuate.com", 50001, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ffkillervm2k3.zb.encentuate.com.
I found something in one ADAM FAQ from Microsoft that says I can use
"certutil -store my" command to see the file name of the private key
whose Read permission should be granted to the service account used to
run ADAM service. But all I got for the "Key Container" attribute
after running this command is the name of root CA certificate I
generated earlier. I even granted Read permission of "C:\Documents and
Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys"
folder and all sub-folders to "NT Authority\Network Service" account
and still SSL connection fails.
2. Running ADAM service with a domain user account
ADAM Help states I should not run ADAM service with "NT
AUTHORITY\NETWORK SERVICE" account if the instance is running on a
domain controller. So I created a new domain user in my test AD and
used that account to run ADAM. I have also enabled "Log on as a
service" and "Generate security audits" for the new domain user
account in Default Domain Contollers Policy. Unfortunately I'm not
able to start ADAM service with that new domain user account.
A quick examination of Windows events shows one error:
Active Directory could not be initialized.
The directory service cannot recover from this error.
User Action
Restore the local directory service from backup media.
Additional Data
Error value:
-1032 JET_errFileAccessDenied, Cannot access file, the file is locked
or in use
Any help is appreciated.
Best regards,
Bo Zhu
.
- Follow-Ups:
- Re: ADAM SP1 on Win2K3 SP1
- From: Bo Zhu
- Re: ADAM SP1 on Win2K3 SP1
- References:
- Re: ADAM SP1 on Win2K3 SP1
- From: Bo Zhu
- Re: ADAM SP1 on Win2K3 SP1
- Prev by Date: Re: Resolving SIDs to user names
- Next by Date: Re: Getting Active Directory replication working over firewalls & nat
- Previous by thread: Re: ADAM SP1 on Win2K3 SP1
- Next by thread: Re: ADAM SP1 on Win2K3 SP1
- Index(es):
Relevant Pages
|
