Re: LDP client authentication fails
- From: "Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx>
- Date: Fri, 27 Apr 2007 13:41:05 -0500
Thanks I will let him know.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:eKywdbOiHHA.680@xxxxxxxxxxxxxxxxxxxxxxx
Client cert authentication in AD/LDAP is supposedly supported, but it is
also undocumented black magic as far as I'm concerned. We don't have much
detail on this in our book. Supposedly ADAM also allows you to do client
cert authentication for Windows users, but I have no experience with that
either.
A few years ago, someone at MS got this piece of feedback and said they
were working on some docs to clarify how client cert auth works with LDAP
binds. However, I don't think this document has seen the light of day yet.
Very few people ask about it, so it isn't a hugely popular subject.
Thanks for the kind words on the book. Please tell you dev guy that if he
has any questions, he's welcome to follow in one of the newsgroups or on
the book's website: www.directoryprogramming.net. I hope you get a chance
to play sometime as well. One of the nice things about our book is that
even though it doesn't address PowerShell directly, everything you learn
in there about .NET LDAP programming is applicable to PowerShell, so it
probably makes the best detailed tutorial out there on how to actually do
the LDAP stuff.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23ZZvMDOiHHA.5044@xxxxxxxxxxxxxxxxxxxxxxx
That surprises me, but is good to know.
Picked up Ryan's and your book the other day. I have a guy writing some
AD code to create users and he loves the details you two have provided.
Hopefully this will get him over the hump. He was having some problems
figuring some of this out. I wish I had the time to do it, but I don't
always get to play.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:OgzK%23jNiHHA.4228@xxxxxxxxxxxxxxxxxxxxxxx
Actually, AD does support client certificate authentication for binding
and this can be done with ldp. It isn't well documented though. As
long as the client certificate is available and SSL is being negotiated,
the client certificate can be used. In general, the client certificate
should be the "my" store for the current user and must be a certificate
that is trusted by the server.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23hO8tlMiHHA.3512@xxxxxxxxxxxxxxxxxxxxxxx
Inline
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Romil Shah" <RomilShah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:8272DF53-420B-4B42-939E-1141BAC93344@xxxxxxxxxxxxxxxx
Hi Paul,
You are right that we need to copy the Root CA to Trusted Root
Certificate
Authority store. I did this , but as per the main query I had ,does
Active
directory client ldp.exe support client authentication?''
I am not positive but I would say that ldp doesn not support client
authentication.
Any idea as to where to store the personal certificate of ldp.exe
client .
I dont find any option in the ldp.exe tool.
So now the question comes as to whether ldp.exe AD client supports
client
authentication . If not then server can never authenticate the client.
To store the client cert just double click on the cert and import it.
Or open up IE, Select Tools, Internet Options, Content tab and click on
certificatates and import from there. This will add the work station
cert for you, but I don't see this working with LDP, but I could be
wrong.
As LDAP server is not receiving any certificate from client side for
authentication so I think ldp.exe is not supporting client
authentication .
But not sure if I am right on this .. Any idea ?
You could use ipsec and have your machine authenticate to the server.
Thanks.
Romil Shah
"Paul Bergson [MVP-DS]" wrote:
When you say you have copied the personal certificate of the server
into the
Trusted Root Certificates Authority, I am unclear as to what you
mean. What
you should have done is copy the Root CA of the server certificate
into the
clients Trusted Root Certificate Authority Store. Does the client
also have
a cert and have you provided the server with the clients Root CA and
placed
that in its store?
The two need to trust one another's certificates before
communications will
occur.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Romil Shah" <Romil Shah@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E46868D3-9D30-48F0-90F3-DA9B716E0F2C@xxxxxxxxxxxxxxxx
Hello,
I am using LDP.exe as a client to communicate with LDAP server.
LDAP server is configured to use SSL with client server
authentication .
I have copied the personal certificate of server into the Trusted
Root
Certificate Authoroties.
I found that ldp.exe fails to connect to server. SSL handshaking
fails .
The queries that I have are as follows:
1) Does LDP.exe authenticates to server ( client authentication is
supported
? )
I am using Windows 2003 with SP1 installed.
I found that in Windows 2000 SP4 a bug on similar line is fixed .
(811288 )
Is this bug fixed in windows 2003 with SP1 installed ?
2) If client authentication is supported then which personal
certificate
does ldp.exe send to server for authentication and where is the
personal
certificate stored on windows ?
Looking forward for your suggestions .
Thanks,
Romil Shah
.
- References:
- Re: LDP client authentication fails
- From: Paul Bergson [MVP-DS]
- Re: LDP client authentication fails
- From: Romil Shah
- Re: LDP client authentication fails
- From: Paul Bergson [MVP-DS]
- Re: LDP client authentication fails
- From: Joe Kaplan
- Re: LDP client authentication fails
- From: Paul Bergson [MVP-DS]
- Re: LDP client authentication fails
- From: Joe Kaplan
- Re: LDP client authentication fails
- Prev by Date: Antivirus software for DCs
- Next by Date: Re: Remote Site Automatic Site Links
- Previous by thread: Re: LDP client authentication fails
- Next by thread: Re: Users getting virtually disconnected
- Index(es):
Relevant Pages
|
