Re: Enable LDAP over SSL
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Wed, 22 Aug 2007 14:37:33 -0500
As I understand it, this is a feature of TLS, the successor to SSL that is
used for doing most SSL operations in Windows these days. The negotiation
with the client will provide the whole chain to the client if the server has
the chain.
The client doesn't need the whole chain locally as a rule. Basically, it
needs the root cert in the chain to be a trusted root and it needs the chain
in memory so that it can verify the chain (which is why the chain must be
provided by the server).
It is basically identical to how this works with web browsers when you do
SSL/HTTPS. The server's cert if often issued by a CA that you don't have in
your intermediate CA certs store (and may be a few layers deep in the
chain), but as long as the whole chain is provided by the server AND the
last cert in the chain is a trusted root, the chain will verify (unless
there is another problem with the certificate).
IE makes this very easy to visualize using HTTPS since it shows you the
server's cert as well as the chain for the cert and lets you inspect each
cert in the chain, so I like to use it as an example.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:%23v7PWFP5HHA.1164@xxxxxxxxxxxxxxxxxxxxxxx
Didn't know the DC provided the chain to its clients. Do the clients then
install them into their store? I have to believe they must do that.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:uV35ec34HHA.484@xxxxxxxxxxxxxxxxxxxxxxx
You will need the full cert chain on the DCs, but you should not need the
full chain on the client as AD should provide the whole chain to the
client during the SSL negotiation.
There are usually useful error messages in the system event log from
schannel and sometimes errors from LDAP in the Directory Service log when
there are SSL configuration problems.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:u8NRwU34HHA.2312@xxxxxxxxxxxxxxxxxxxxxxx
I have seen this fail when the CA cert from the third party isn't
properly imported into both the client and all dc's cert stores.
--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT
http://www.pbbergs.com
Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.
"DavidL" <DavidL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E29AF6C3-FAE2-4BCD-AA1A-FBB5A3DA45A2@xxxxxxxxxxxxxxxx
I followed the instructions in KB321051 to install a certificate.
I got to the section "Verifying an LDAPS connection" and cannot connect
to
636 or 3269. Error <0x51>: Fail to connect
389 works fine.
I don't see an _ldap entry in DNS.
The domain controller I'm working with has no IIS and our network has
no CA
.
- Follow-Ups:
- Re: Enable LDAP over SSL
- From: Paul Bergson [MVP-DS]
- Re: Enable LDAP over SSL
- References:
- Re: Enable LDAP over SSL
- From: Paul Bergson [MVP-DS]
- Re: Enable LDAP over SSL
- From: Joe Kaplan
- Re: Enable LDAP over SSL
- From: Paul Bergson [MVP-DS]
- Re: Enable LDAP over SSL
- Prev by Date: Re: Security template
- Next by Date: Re: Need to force logoff for one user only at night
- Previous by thread: Re: Enable LDAP over SSL
- Next by thread: Re: Enable LDAP over SSL
- Index(es):
Relevant Pages
|
