Re: ADAM wirh SSL

From: "Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx>
Date: Sat, 3 Mar 2007 22:18:44 -0800

Couple more additional details (in addition to Lee's checklist):
1) The certificate's "intended use" field must include "server
authentication"
2) the client connecting to ADAM must trust the certificate

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u$iP8jPXHHA.4964@xxxxxxxxxxxxxxxxxxxxxxx

Something else is wrong for me. I've got the permissions right on the
private key file and Schannel debugging enabled. Schannel gives me this
warning:

(38672)
No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an
application is the directory server. Applications that manage their own
credentials, such as the internet information server, are not affected by
this.

ADAM tells me this:
(1220)

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package

IIS has no problems at all with the cert. I can't figure out what
8009030e is really telling me here.

I've got the cert installed in the local machine store as I want to use it
with IIS as well and when I initially tried to put it in the ADAM service
account store (network service in my case), ADAM didn't seem to be finding
it at all.

I had this working fine on my last XP install and didn't do anything
remarkably different. Grrr!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:OeOEUWPXHHA.1636@xxxxxxxxxxxxxxxxxxxxxxx

Hi

if the notes

http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en

do not help.

Do you get any more detail from Schannel debugging, that should point out
lack of private key access issues if that's the problem. I usually set
access on the key file, run up an MMC with the certificates snap-in for
both local computer and ADAM service account and cut the cert from local
computer and paste into ADAM service account store then restart the ADAM
instance.

Lee Flight

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:%23HtDN5OXHHA.896@xxxxxxxxxxxxxxxxxxxxxxx

I have this exact problem on my local ADAM instance on my XP workstation
right now and I can't seem to fix it. This is very frustrating for me as
I've recently configured SSL on a few other ADAM servers with absolutely
no problems at all. Compounding the issue is that I'm not exactly sure
what that error from the crypto API is actually trying to me. :)

For you, I'd start by making sure that your ADAM service account
(possibly Network Service, but who knows how you actually set it up) has
read access to the private key file. Using WinHTTPCertCfg.exe (free
download from MS) is the generally preferred way of doing this.

If that doesn't work, I don't know what to tell you. :( Please tell me
if you find out.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"MichaelB" <MichaelB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AF17700A-36FC-4DF7-883C-6FF7B38BB219@xxxxxxxxxxxxxxxx

Hi all,

I just setup an ADAM on a standalone server. Everything works fine and
I cna
use it to the full extent. Now, as for using SSL, is does not want to
work at
all. I got a certificate from my CA and assigned it to the server and
the
service. I keep on getting the error :

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package

Anyone have a clue on what I can do or what the problem is?

Thank you,

Mike

Follow-Ups:
- Re: ADAM wirh SSL
  - From: Joe Kaplan

References:
- Re: ADAM wirh SSL
  - From: Joe Kaplan
- Re: ADAM wirh SSL
  - From: Lee Flight
- Re: ADAM wirh SSL
  - From: Joe Kaplan

Prev by Date: Re: International characters in AD & ADAM
Next by Date: Re: Event ID: 4000 DNS error
Previous by thread: Re: ADAM wirh SSL
Next by thread: Re: ADAM wirh SSL
Index(es):
- Date
- Thread

Relevant Pages

Re: Creating a Computer Object in ADAM
... I've never replicated an ADAM ... Win 2003 server down to my instance, but fails from my XP instance ... 'The attempt to establish a replication link for the following writable ... Source directory service address: ...
(microsoft.public.windows.server.active_directory)
Re: Creating a Computer Object in ADAM
... I'm going to guess and say that the ADAM service account doesn't have the ... the name changed server and its partners to see status. ... Starting test: CrossRefValidation ... Running partition tests on: Schema ...
(microsoft.public.windows.server.active_directory)
Re: ADAM with ssl
... Using a certificate with an ADAM instance ... on the ADAM server request and install a server certificate ...
(microsoft.public.windows.server.active_directory)
Re: ADAM with ssl
... Using a certificate with an ADAM instance ... on the ADAM server request and install a server certificate ...
(microsoft.public.windows.server.active_directory)
Re: ADAMs replica doesnt have any passwords?
... because the server was unable to obtain a certificate. ... The ssl certificate on this new machine is set up but not in full as in it ... change yet because adam is not set up, so we can't move the production....and ...
(microsoft.public.windows.server.active_directory)