Re: ADAM using SSL Problem

Thanks Lee! This was a development server, and the UAT and PROD servers that
host ADAM will not be DCs, so I simply moved ADAM to another development
server, and set it up in the same exact fashion, and after installing the
certificates I seen the file in the machinekeys directory and it tested out
perfect via SSL in LDP.

"Lee Flight" wrote:

Hi

it might help to have Schannel logging pushed up to 7

http://support.microsoft.com/kb/260729

however that requires a reboot and I note that you say this is a DC...
I'm fairly sure it's lack of the private key that will be causing the
problem
here.

Is this in production? Adding extra services to a DC is not really best
practice (outside of SBS)...Also for ADAM on a DC the service account
needs to be standard domain account not Network Service.

Also what is your CA here from the URL it looks like Windows CA
is it an Enterprise CA or Standalone CA?

Lee Flight

"Rod Clingaman" <RodClingaman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7C1E731E-E610-4978-937D-15A9F7575616@xxxxxxxxxxxxxxxx
Thanks Lee. I apologize for the mistake, but I meant to state:
After I exported the cert to Desktop/mycert.prx
Next I import into the Certificates - Service (ADAM1) \ Personal \
Certificates.

No luck :(

"Lee Flight" wrote:

Hi

the cert requested for the service needs to be in the ADAM service
personal
store not the ADAM service Trusted root store which may explain why you
are not seeing a private key.

Lee Flight


"Rod Clingaman" <Rod Clingaman@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
message
news:536CEE03-6F59-4B29-B8C2-9307C93BC37B@xxxxxxxxxxxxxxxx
On the ADAM server(windows 2003), I add a snap/in and show the
Certificates
for current user, and for the ADAM service account.

Next I browse to http://somehost/certsrv/
Clicked on "Download a CA certificate, certificate chain, or CRL"
Clicked on "install this CA certificate chain."
I then seen the certificate in the snap-in at: Certificates - Current
User
\
Trusted Root Certification Authorities \ Certificates.
I copied that certificate and pasted it in the Certificates - Service
(ADAM1) \ Trusted Root Certification Authorities \ Certificates.

Next I browse to http://somehost/certsrv/
Clicked on "Request a certificate" then "advanced certificate request",
then
"Create and submit a request to this CA". I make the following
modifications
to the default values:

Name: the FQDN of the ADAM server
Friendly Name: the FQDN of the ADAM server
Type of certificate: Server Authentication Certificate
Create new key set
CSP: Microsoft RSA SChannel Cryptographic provider
Mark keys as exportable
Request format: PKCS10

Then I submit the request and install the certificate.

I then seen the certificate in the snap-in at: Certificates - Current
User
\
Personal \ Certificates.
Then I Right click the certificate and All tasks - Export.
Yes, export the private key, don't enter a password.
Store it on the Desktop/mycert.prx
Next I import into the Certificates - Service (ADAM1) \ Trusted Root
Certification Authorities \ Certificates.

Then I restart the ADAM service and launch LDP (on the ADAM server) and
use
the FQDN, the SSL port, and check the SSL box. I get the following
error:

ld = ldap_sslinit("FICTIONWDA001.FIC.DEV", 50053, 1)
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3)
Error 81 = ldap_connect(hLdap, NULL)
Server error: empty
Error 0x51: Fail to connect to FICTIONWDA001.FIC.DEV.

I noticed that the RSA\MachineKeys directory that gets mentioned in
allot
of articles, never gets a new file when I install the certificates.
There
are
6 old files in there with long hash names.

The server also acts as a domain controller.

Any advice is greatly appreciated!






.

Relevant Pages

  • Re: ADAM SSL
    ... Very good description Lee, thanks. ... That's where ADAM checks first. ... The cert needs to be issued to the full dns name of the machine, ... should be marked for "server auth". ...
    (microsoft.public.windows.server.active_directory)
  • Re: Attn: Lee flight - Repost of Concurrent LDAP Binds
    ... Lee, Joe, thank you! ... Our ADAM instance will run on W2K3, ... >> Note that the LDAP client may need to be 2003 server to actually do Fast ...
    (microsoft.public.windows.server.active_directory)
  • Re: MS ADAM/AD: Absolute simplest repl/sync solution for MS ADAM on 2 or more WinXP machines?
    ... Sorry Lee. ... I'm interested strictly in ADAM to ADAM repl/sync of client application data ... between WinXP clients (no AD or AD identity informaton ...and ideally ... for production infrastructure you would want a W2003 server based ADAM ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating a Computer Object in ADAM
    ... I've never replicated an ADAM ... Win 2003 server down to my instance, but fails from my XP instance ... 'The attempt to establish a replication link for the following writable ... Source directory service address: ...
    (microsoft.public.windows.server.active_directory)
  • Re: Creating a Computer Object in ADAM
    ... I'm going to guess and say that the ADAM service account doesn't have the ... the name changed server and its partners to see status. ... Starting test: CrossRefValidation ... Running partition tests on: Schema ...
    (microsoft.public.windows.server.active_directory)