Re: Enable LDAP over SSL
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 20 Aug 2007 22:04:49 -0500
Ok, so you don't have a valid certificate installed.
A few things:
The cert must be in the personal container of the local machine store
the subject name on the cert must match the DNS name of the DC
The cert must have the server authentication EKU
The cert must have a private key (the certificate property pages will tell
you if it does)
The cert must say that it is valid (the full chain must be valid and the
dates must be valid)
If any of those are not true, then you either didn't get a proper
certificate from the CA you used or you did not install something properly.
You can check this by opening up the certificates mmc snap-in and checking.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"DavidL" <DavidL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:4DC6D7E8-A58B-457F-9E03-8346AE209AE5@xxxxxxxxxxxxxxxx
OK.... that gives me more to chew on.
I see this in the system log.
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36872
Date: 8/20/2007
Time: 3:46:18 PM
User: N/A
Computer:
Description:
No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an
application
is the directory server. Applications that manage their own credentials,
such
as the internet information server, are not affected by this.
and this in the directory service log
Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1220
Date: 8/16/2007
Time: 3:51:10 PM
User: N/A
Computer:
Description:
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
"Joe Kaplan" wrote:
You will need the full cert chain on the DCs, but you should not need the
full chain on the client as AD should provide the whole chain to the
client
during the SSL negotiation.
There are usually useful error messages in the system event log from
schannel and sometimes errors from LDAP in the Directory Service log when
there are SSL configuration problems.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:u8NRwU34HHA.2312@xxxxxxxxxxxxxxxxxxxxxxx
I have seen this fail when the CA cert from the third party isn't
properly
imported into both the client and all dc's cert stores.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"DavidL" <DavidL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E29AF6C3-FAE2-4BCD-AA1A-FBB5A3DA45A2@xxxxxxxxxxxxxxxx
I followed the instructions in KB321051 to install a certificate.
I got to the section "Verifying an LDAPS connection" and cannot
connect
to
636 or 3269. Error <0x51>: Fail to connect
389 works fine.
I don't see an _ldap entry in DNS.
The domain controller I'm working with has no IIS and our network has
no
CA
.
- Follow-Ups:
- Re: Enable LDAP over SSL
- From: DavidL
- Re: Enable LDAP over SSL
- References:
- Re: Enable LDAP over SSL
- From: Paul Bergson [MVP-DS]
- Re: Enable LDAP over SSL
- From: Joe Kaplan
- Re: Enable LDAP over SSL
- From: DavidL
- Re: Enable LDAP over SSL
- Prev by Date: "net use" question
- Next by Date: Re: Enable LDAP over SSL
- Previous by thread: Re: Enable LDAP over SSL
- Next by thread: Re: Enable LDAP over SSL
- Index(es):
Relevant Pages
|
