Re: ADAM wirh SSL

I just tried a repro using selfssl.exe, I ran it on a W2K3 IIS server,
setting the
canonical name to be the FQDN of my target WinXP box (and /v:365), exported
the cert + private key and imported into the WinXP Computer store
(rather than ADAM Instance store to try and hit your problem) and set
permissions
on the key file.

LDAP/SSL connect failed with "No suitable default server credential exists
on this
system....", I then added a copy of the cert to Trusted Root Certification
Authorities
for Computer account (copy/paste in certifcates MMC). When I restarted the
ADAM
service the LDAP/SSL connect worked; so I don't have a problem but that does
not help
you :(.

Do you have any other keys in the MachineKeys folder that might be throwing
this out?

Lee Flight

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:efxS0PoXHHA.3824@xxxxxxxxxxxxxxxxxxxxxxx
Yeah, I've got all that working too. I used selfssl.exe from the IIS 6
Resource kit to generate the self-signed cert I'm using. I've got the
cert in the local machine trusted root store as well as the personal
store. There is no trust issue.

The cert works perfectly with IIS as well, so I know it *can* work. I
also used this same procedure on a previous XP install with ADAM and IIS
and it worked fine too, so something subtle has happened to me here that I
can't seem to figure out. I'm not sure how to get additional debug output
from schannel/cryptoAPI to get more details. I already have the schannel
log level up all the way and don't see anything particularly useful, just
the error I've already posted.

Thanks for the suggestions though.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Dmitri Gavrilov [MSFT]" <dmitrig@xxxxxxxxxxxxxxxxxxxx> wrote in message
news:eHh62TiXHHA.4308@xxxxxxxxxxxxxxxxxxxxxxx
Couple more additional details (in addition to Lee's checklist):
1) The certificate's "intended use" field must include "server
authentication"
2) the client connecting to ADAM must trust the certificate

--
Dmitri Gavrilov
SDE, Active Directory team

This posting is provided "AS IS" with no warranties, and confers no
rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:u$iP8jPXHHA.4964@xxxxxxxxxxxxxxxxxxxxxxx
Something else is wrong for me. I've got the permissions right on the
private key file and Schannel debugging enabled. Schannel gives me this
warning:

(38672)
No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system
default credentials from accepting SSL connections. An example of such
an application is the directory server. Applications that manage their
own credentials, such as the internet information server, are not
affected by this.

ADAM tells me this:
(1220)

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package

IIS has no problems at all with the cert. I can't figure out what
8009030e is really telling me here.

I've got the cert installed in the local machine store as I want to use
it with IIS as well and when I initially tried to put it in the ADAM
service account store (network service in my case), ADAM didn't seem to
be finding it at all.

I had this working fine on my last XP install and didn't do anything
remarkably different. Grrr!

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Lee Flight" <lef@xxxxxxxxxxxxxxx> wrote in message
news:OeOEUWPXHHA.1636@xxxxxxxxxxxxxxxxxxxxxxx
Hi

if the notes

http://groups.google.co.uk/group/microsoft.public.windows.server.active_directory/msg/6a89876d200518cf?hl=en

do not help.

Do you get any more detail from Schannel debugging, that should point
out lack of private key access issues if that's the problem. I usually
set access on the key file, run up an MMC with the certificates snap-in
for both local computer and ADAM service account and cut the cert from
local computer and paste into ADAM service account store then restart
the ADAM instance.

Lee Flight

"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message news:%23HtDN5OXHHA.896@xxxxxxxxxxxxxxxxxxxxxxx
I have this exact problem on my local ADAM instance on my XP
workstation right now and I can't seem to fix it. This is very
frustrating for me as I've recently configured SSL on a few other ADAM
servers with absolutely no problems at all. Compounding the issue is
that I'm not exactly sure what that error from the crypto API is
actually trying to me. :)

For you, I'd start by making sure that your ADAM service account
(possibly Network Service, but who knows how you actually set it up)
has read access to the private key file. Using WinHTTPCertCfg.exe
(free download from MS) is the generally preferred way of doing this.

If that doesn't work, I don't know what to tell you. :( Please tell
me if you find out.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"MichaelB" <MichaelB@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:AF17700A-36FC-4DF7-883C-6FF7B38BB219@xxxxxxxxxxxxxxxx
Hi all,

I just setup an ADAM on a standalone server. Everything works fine
and I cna
use it to the full extent. Now, as for using SSL, is does not want to
work at
all. I got a certificate from my CA and assigned it to the server and
the
service. I keep on getting the error :

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

Additional Data
Error value:
8009030e No credentials are available in the security package


Anyone have a clue on what I can do or what the problem is?

Thank you,

Mike












.

Relevant Pages

  • Re: ADAM making a call from 2000 server instead of 2003
    ... In IIS 6, the process identity is defined by the app pool identity. ... have any permissions in a remote ADAM as it isn't even a domain account. ... the settings - in this case it is checkng the repository to make sure the ... between iis and adam on the 2000 server. ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM wirh SSL
    ... Resource kit to generate the self-signed cert I'm using. ... The cert works perfectly with IIS as well, so I know it *can* work. ... used this same procedure on a previous XP install with ADAM and IIS and it ... No suitable default server credential exists on this system. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating a Computer Object in ADAM
    ... I've never replicated an ADAM ... Win 2003 server down to my instance, but fails from my XP instance ... 'The attempt to establish a replication link for the following writable ... Source directory service address: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating a Computer Object in ADAM
    ... I'm going to guess and say that the ADAM service account doesn't have the ... the name changed server and its partners to see status. ... Starting test: CrossRefValidation ... Running partition tests on: Schema ...
    (microsoft.public.windows.server.active_directory)
  • Re: ADAM making a call from 2000 server instead of 2003
    ... The application is storing information in objects for individual users in ADAM. ... the settings - in this case it is checkng the repository to make sure the ... between iis and adam on the 2000 server. ... I will find out what version of iis they are running ...
    (microsoft.public.windows.server.active_directory)