Discussion:
ADAM SSL
(too old to reply)
CY
2004-05-10 03:25:24 UTC
Permalink
Hi,
I am trying to connect to my ADAM instance running on a domain controller
(ssl port 50001) using SSL. I have installed the certificate into local
computer cert store. I can connect to default SSL port 636 at localhost but
cannot connect to my instance's SSL port at 50001, see error below. I have
checked that port 50001 is listening. How do i connect to the instance's
SSL port?

ld = ldap_sslinit("localhost", 50001, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to localhost.


Thanks
CY
Lee Flight
2004-05-10 09:13:24 UTC
Permalink
Have you checked the "start_here.htm" file that ships with ADAM in the
section on "Using SSL certificates with ADAM" it explains that permission
is required on the on-disk certificate store for the account running the
ADAM
instance (service).

Bear in mind the usual reservation over how wise it is to use a Domain
Controller
for running other services (ADAM in this case).
--
Lee Flight
Post by CY
Hi,
I am trying to connect to my ADAM instance running on a domain controller
(ssl port 50001) using SSL. I have installed the certificate into local
computer cert store. I can connect to default SSL port 636 at localhost but
cannot connect to my instance's SSL port at 50001, see error below. I have
checked that port 50001 is listening. How do i connect to the instance's
SSL port?
ld = ldap_sslinit("localhost", 50001, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to localhost.
Thanks
CY
CY
2004-05-11 04:05:56 UTC
Permalink
Yes I have done that, gave full control to network service and administrator
accounts. Stilll cannot figure out why I can connect to port 636 (which
means no problem with the certificate right?) but not to 50001.
Post by Lee Flight
Have you checked the "start_here.htm" file that ships with ADAM in the
section on "Using SSL certificates with ADAM" it explains that permission
is required on the on-disk certificate store for the account running the
ADAM
instance (service).
Bear in mind the usual reservation over how wise it is to use a Domain
Controller
for running other services (ADAM in this case).
--
Lee Flight
Post by CY
Hi,
I am trying to connect to my ADAM instance running on a domain controller
(ssl port 50001) using SSL. I have installed the certificate into local
computer cert store. I can connect to default SSL port 636 at localhost
but
Post by CY
cannot connect to my instance's SSL port at 50001, see error below. I
have
Post by CY
checked that port 50001 is listening. How do i connect to the instance's
SSL port?
ld = ldap_sslinit("localhost", 50001, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to localhost.
Thanks
CY
Lee Flight
2004-05-11 07:55:04 UTC
Permalink
Do you see anything in the ADAM instance event log when you open ldp
and the connection fails? In particular do you see Event Id. 1220?

What was the certificate issued to? A server name or IP address? If a server
name have you tried using the exact same name in Server: field of the ldp
connect
box?

If you could try this on a box other than a domain controller it would
probably
simplify diagnosis of the problem.
--
Lee Flight
Post by CY
Yes I have done that, gave full control to network service and
administrator
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636 (which
means no problem with the certificate right?) but not to 50001.
CY
2004-05-13 08:41:10 UTC
Permalink
Thanks for the reminder, I just check my event log and it shows the following error. Looks like some people hit the same error in earlier postings but no solution was given. I used the same fully qualified domain name when connecting with ldp

Description
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

Additional Data
Error value
8009030e No credentials are available in the security packag


----- Lee Flight wrote: ----


Do you see anything in the ADAM instance event log when you open ld
and the connection fails? In particular do you see Event Id. 1220

What was the certificate issued to? A server name or IP address? If a serve
name have you tried using the exact same name in Server: field of the ld
connec
box

If you could try this on a box other than a domain controller it woul
probabl
simplify diagnosis of the problem
--
Lee Fligh
Post by CY
Yes I have done that, gave full control to network service an
administrato
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636 (whic
means no problem with the certificate right?) but not to 50001
Lee Flight
2004-05-13 16:16:42 UTC
Permalink
That message implies that your ADAM server is not finding an
accessible certificate. Just to be clear you have done the following:

(1) on the ADAM server look in
c:\documents and settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
and note what keys are there

(2) on the ADAM server request and install a server certificate for use by
ADAM
in the Computer Personal certificate store

(3) on the ADAM server look in
c:\documents and settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
and see what new key is there as a result of (2) and grant READ permission
on that key
for the ADAM service account. NOTE you need to set the permission on the
key, the keys
in that folder do not inherit permissions

(4) install or restart an ADAM instance on the server

(5) On the ADAM server, run ldp.exe and Connect.
In the server field: put the name of the ADAM server as it appears
in the Issued To column of the Certificate MMC when you added the
certificate
In the Port Box put the port number for the ADAM instance SSL and
check
the SSL box.

You should see an ldap_sslint connection initiate and hopefully connect.

Lee Flight
Post by CY
Thanks for the reminder, I just check my event log and it shows the
following error. Looks like some people hit the same error in earlier
postings but no solution was given. I used the same fully qualified domain
name when connecting with ldp.
Post by CY
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Post by CY
Additional Data
8009030e No credentials are available in the security package
----- Lee Flight wrote: -----
Do you see anything in the ADAM instance event log when you open ldp
and the connection fails? In particular do you see Event Id. 1220?
What was the certificate issued to? A server name or IP address? If a server
name have you tried using the exact same name in Server: field of the ldp
connect
box?
If you could try this on a box other than a domain controller it would
probably
simplify diagnosis of the problem.
--
Lee Flight
Post by CY
Yes I have done that, gave full control to network service and
administrator
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636 (which
means no problem with the certificate right?) but not to 50001.
Dmitri Gavrilov [MSFT]
2004-05-13 17:21:23 UTC
Permalink
Very good description Lee, thanks. One suggestion. You will be safer if on
step (2) you install the cert into "ADAM service personal store" rather than
computer store. That's where ADAM checks first. Computer store could have
other certs, and there's no way to tell which one will be picked.

The cert needs to be issued to the full dns name of the machine, and it
should be marked for "server auth". And the client MUST connect to the full
dns name of the machine, or localhost. And the client must trust that cert.
--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by Lee Flight
That message implies that your ADAM server is not finding an
(1) on the ADAM server look in
c:\documents and settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
and note what keys are there
(2) on the ADAM server request and install a server certificate for use by
ADAM
in the Computer Personal certificate store
(3) on the ADAM server look in
c:\documents and settings\All Users\Application
Data\Microsoft\Crypto\RSA\MachineKeys
and see what new key is there as a result of (2) and grant READ permission
on that key
for the ADAM service account. NOTE you need to set the permission on the
key, the keys
in that folder do not inherit permissions
(4) install or restart an ADAM instance on the server
(5) On the ADAM server, run ldp.exe and Connect.
In the server field: put the name of the ADAM server as it appears
in the Issued To column of the Certificate MMC when you added the
certificate
In the Port Box put the port number for the ADAM instance SSL and
check
the SSL box.
You should see an ldap_sslint connection initiate and hopefully connect.
Lee Flight
Post by CY
Thanks for the reminder, I just check my event log and it shows the
following error. Looks like some people hit the same error in earlier
postings but no solution was given. I used the same fully qualified domain
name when connecting with ldp.
Post by CY
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.
Post by CY
Additional Data
8009030e No credentials are available in the security package
----- Lee Flight wrote: -----
Do you see anything in the ADAM instance event log when you open ldp
and the connection fails? In particular do you see Event Id. 1220?
What was the certificate issued to? A server name or IP address? If
a
Post by Lee Flight
server
Post by CY
name have you tried using the exact same name in Server: field of
the
Post by Lee Flight
ldp
Post by CY
connect
box?
If you could try this on a box other than a domain controller it
would
Post by CY
probably
simplify diagnosis of the problem.
--
Lee Flight
Post by CY
Yes I have done that, gave full control to network service and
administrator
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636
(which
Post by CY
Post by CY
means no problem with the certificate right?) but not to 50001.
Lee Flight
2004-05-13 22:00:46 UTC
Permalink
To be honest we could not figure out how to get the cert into the ADAM
service personal certificate store. We use a Windows Enterprise CA and could
only see how to request a cert for the Local Computer. Your message has
prompted
me to re-visit this and the following works for me:

--
Installing a certificate for ADAM SSL

Using a Windows Enterprise Certificate Authority:

Synopsis:

On the (domain) computer running the ADAM instance create an
MMC console that has the Local Computer Personal Certificate
store and the ADAM instance Personal Certificate Store visible.

Request a new certificate in the Local Computer Personal Certificate
Store from the Enterprise Certificate Authority and then move it into
the ADAM instance Personal Certificate store.

HowTo:

On the (member) server that is running the ADAM instance:
Click Start, click Run, type mmc and click OK

In the mmc console
Click File, Click Add/Remove Snap-in, on the Add/Remove Snap-in
popup click Add and then from the Add Standalone Snap-in select
Certificates and Click Add.

On the Certificates Snap-in, Check Computer Account, Click Next
on the Select Computer popup Check Local Computer and click Finish.

From the Add Standalone Snap-in select Certificates and Click Add.

On the Certificates Snap-in Check Service Account, Click Next
on the Select Computer popup Check Local Computer and Next, Select
the ADAM instance service account (default name instance1) from the
list box, Click Finish.

On the Add Standalone Sanp-in poup Click Close

On the Add/Remove Snap-in pop Click OK

The mmc should now contain consoles for
+ Certificates (Local Computer)

+ Certificates - Service (instance1) on Local Computer

Expand both of these consoles.
Under Certificates (Local Computer) Right-Click Personal,
Select All Tasks and then Click Request New Certificate.

On the New Certificate wizard click Next,
On the Certificate Types popup Select Computer under Certificate
types and click Next
(Optionally) Provide a Certificate Friendly name and description
and Click Next.

Click Finish to Close the New Certificate wizard.

If all is well a popup informs you "The certificate request was successful."
Click OK.

Click the Certificates folder that now appears as

Certificates (Local Computer)
Personal
Certificates

in the left-hand pane the new server certificate should be visible.
Right-Click the certificate and Select cut.

Under Certificates - Service (instance1) on Local Computer
Select the <Service name>\Personal folder (ADAM_instance1\Personal by
default).
In the left-hand pane Right-Click and Select Paste.

This should result in the move of the new certificate into the ADAM instance
Personal Store.
--

If there's a better way please let me know and I will merge the info back
with
the other steps as a FAQ on this. For third-party certs I assume it's just
an import
under the ADAM Personal store ( I think there's a KB for LDAP/SSL for
third-party
as well).

Lee Flight
Post by Dmitri Gavrilov [MSFT]
Very good description Lee, thanks. One suggestion. You will be safer if on
step (2) you install the cert into "ADAM service personal store" rather than
computer store. That's where ADAM checks first. Computer store could have
other certs, and there's no way to tell which one will be picked.
Dmitri Gavrilov [MSFT]
2004-05-11 18:23:52 UTC
Permalink
AD (lsass) and ADAM (dsamain) run under different service accounts usually.
You must make sure ADAM's service account has read access to the private key
corresponding to the cert. It is stored in a file in c:\documents and
settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by CY
Yes I have done that, gave full control to network service and
administrator
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636 (which
means no problem with the certificate right?) but not to 50001.
Post by Lee Flight
Have you checked the "start_here.htm" file that ships with ADAM in the
section on "Using SSL certificates with ADAM" it explains that permission
is required on the on-disk certificate store for the account running the
ADAM
instance (service).
Bear in mind the usual reservation over how wise it is to use a Domain
Controller
for running other services (ADAM in this case).
--
Lee Flight
Post by CY
Hi,
I am trying to connect to my ADAM instance running on a domain
controller
Post by Lee Flight
Post by CY
(ssl port 50001) using SSL. I have installed the certificate into local
computer cert store. I can connect to default SSL port 636 at localhost
but
Post by CY
cannot connect to my instance's SSL port at 50001, see error below. I
have
Post by CY
checked that port 50001 is listening. How do i connect to the
instance's
Post by Lee Flight
Post by CY
SSL port?
ld = ldap_sslinit("localhost", 50001, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to localhost.
Thanks
CY
CY
2004-05-13 08:56:04 UTC
Permalink
I tried giving full control for Everyone on my test ADAM server but still failed to connect.

This is the test certificate I imported into the Trusted root CA store on the client (a machine in the same domain). adam.domain.local is my adam server. Do u think this is a certificate issuing problem or ADAM SSL problem

================ Certificate 4 ===============
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=adam.domain.local, DC=DOMAIN, DC=loca
Subject: CN=adam.domain.local, DC=DOMAIN, DC=loca
Certificate Template Name: C
CA Version: V0.
Signature matches Public Ke
Root Certificate: Subject matches Issue
Template: CA, Root Certification Authorit
Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Container = adam.domain.loca
Provider = Microsoft Strong Cryptographic Provide
Signature test passe


----- Dmitri Gavrilov [MSFT] wrote: ----

AD (lsass) and ADAM (dsamain) run under different service accounts usually
You must make sure ADAM's service account has read access to the private ke
corresponding to the cert. It is stored in a file in c:\documents an
settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder

--
Dmitri Gavrilo
SDE, Active Directory Cor

This posting is provided "AS IS" with no warranties, and confers no rights
Use of included script samples are subject to the terms specified a
http://www.microsoft.com/info/cpyright.ht
Post by CY
Yes I have done that, gave full control to network service an
administrato
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636 (whic
means no problem with the certificate right?) but not to 50001
Post by Lee Flight
Have you checked the "start_here.htm" file that ships with ADAM in th
section on "Using SSL certificates with ADAM" it explains tha
permissio
Post by CY
Post by Lee Flight
is required on the on-disk certificate store for the account running th
ADA
instance (service)
Post by CY
Post by Lee Flight
Bear in mind the usual reservation over how wise it is to use a Domai
Controlle
for running other services (ADAM in this case)
Post by CY
Post by Lee Flight
--
Lee Fligh
Post by CY
Hi
I am trying to connect to my ADAM instance running on a domai
controlle
Post by Lee Flight
Post by CY
(ssl port 50001) using SSL. I have installed the certificate int
loca
Post by CY
Post by Lee Flight
Post by CY
computer cert store. I can connect to default SSL port 636 a
localhos
Post by CY
Post by Lee Flight
bu
Post by CY
cannot connect to my instance's SSL port at 50001, see error below.
hav
Post by CY
checked that port 50001 is listening. How do i connect to th
instance'
Post by Lee Flight
Post by CY
SSL port
Post by Lee Flight
Post by CY
ld = ldap_sslinit("localhost", 50001, 1)
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION
LDAP_VERSION3)
Error <0x51> = ldap_connect(hLdap, NULL)
Server error: <empty>>>> Error <0x51>: Fail to connect to localhost
Post by Lee Flight
Post by CY
Thank
C
Dmitri Gavrilov [MSFT]
2004-05-13 17:22:47 UTC
Permalink
See my other post. Also, like Lee noted, private key files are protected
from inheritance, so you need to either force propagation or modify security
on the actual file.
--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by CY
I tried giving full control for Everyone on my test ADAM server but still failed to connect.
This is the test certificate I imported into the Trusted root CA store on
the client (a machine in the same domain). adam.domain.local is my adam
server. Do u think this is a certificate issuing problem or ADAM SSL
problem?
Post by CY
================ Certificate 4 ================
Serial Number: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Issuer: CN=adam.domain.local, DC=DOMAIN, DC=local
Subject: CN=adam.domain.local, DC=DOMAIN, DC=local
Certificate Template Name: CA
CA Version: V0.0
Signature matches Public Key
Root Certificate: Subject matches Issuer
Template: CA, Root Certification Authority
Cert Hash(sha1): xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key Container = adam.domain.local
Provider = Microsoft Strong Cryptographic Provider
Signature test passed
----- Dmitri Gavrilov [MSFT] wrote: -----
AD (lsass) and ADAM (dsamain) run under different service accounts usually.
You must make sure ADAM's service account has read access to the private key
corresponding to the cert. It is stored in a file in c:\documents and
settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys folder.
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm
Post by CY
Yes I have done that, gave full control to network service and
administrator
Post by CY
accounts. Stilll cannot figure out why I can connect to port 636 (which
means no problem with the certificate right?) but not to 50001.
Post by Lee Flight
Have you checked the "start_here.htm" file that ships with ADAM in the
section on "Using SSL certificates with ADAM" it explains that
permission
Post by CY
Post by Lee Flight
is required on the on-disk certificate store for the account running the
ADAM
instance (service).
Post by CY
Post by Lee Flight
Bear in mind the usual reservation over how wise it is to use a Domain
Controller
for running other services (ADAM in this case).
Post by CY
Post by Lee Flight
--
Lee Flight
Post by CY
Hi,
I am trying to connect to my ADAM instance running on a domain
controller
Post by Lee Flight
Post by CY
(ssl port 50001) using SSL. I have installed the certificate
into
Post by CY
local
Post by CY
Post by Lee Flight
Post by CY
computer cert store. I can connect to default SSL port 636 at
localhost
Post by CY
Post by Lee Flight
but
Post by CY
cannot connect to my instance's SSL port at 50001, see error below. I
have
Post by CY
checked that port 50001 is listening. How do i connect to the
instance's
Post by Lee Flight
Post by CY
SSL port?
Post by Lee Flight
Post by CY
ld = ldap_sslinit("localhost", 50001, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>>>> Error <0x51>: Fail to connect to
localhost.
Post by CY
Post by CY
Post by Lee Flight
Post by CY
Post by Lee Flight
Post by CY
Post by CY
Thanks
CY
Continue reading on narkive:
Loading...