| |
ADLDS on SSL Error #1 -- No certificate installed. |
|
|
Subject: ADLDS on SSL Error #1 -- No certificate installed.
Author: eLDAP
In response to: Generate certificate and CA root by makecert.exe
Posted on: 11/10/2012 07:57:05 PM
This is the scenario where the AD LDS server is running correctly on plain socket port but not on SSL port (even though netstat or dsdbutil indicating SSL port is being occupied).
Client application Ldp.exe:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ADLDS-TEST-MACHINE.
Client application Java Jndi:
javax.naming.CommunicationException: Root exception is java.net.SocketException:
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:147)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
Root Cause:
You had neither self-signed certificate nor CA-issued certificate installed for the ADLDS instance.
How to fix: Assigning a certificate to ADLDS
Step 1: Verify that your server certificate is ready
Click Start, right-click Command Prompt, and then click Run as administrator.
Type mmc to open Microsoft Management Console.
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Computer account and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates (Local Computer), expand Personal, and then expand Certificates.
Locate the certificate. In the details pane, verify that the certificate is marked for Server Authentication in the Intended Purposes column. In the details pane, verify that the computer's fully qualified host name appears in the Issued To column.
Step 2: Copy the certificate into ADLDS instance's personal store
Select certificate from step 1 and right click on it and then click Copy
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Service account and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Next.
In Service account, select the name of the ADLDS instance to which you want to connect over LDAPS, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates-Service, right click ADAM_instance_name\Personal, and then click Paste.
expand Certificates, the certificate should be listed.
Step 3: Grant read access to the certificate key file
Before you attempt to use the server authentication certificate with ADLDS, you must ensure that the Service Account (not the Administrator Account) under which the ADLDS instance is running has Read access to the certificate that you installed or imported. The default directory is:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Navigate to the directory where the installed or imported certificates are stored.
Right-click the appropriate server authentication certificate (identify by matching timestamp between Date modified and certificate's Valid from), and then click Properties.
On the Security tab, click Edit.
In the Permissions dialog box, click Add.
In the Select Users or Groups dialog box, type Network Service, and then click OK.
Assign Read & Execute rights to the service account running ADLDS.
Step 4: Restart the ADLDS service to activate the new certificate
Go to Computer Management -> Services panel.
Select your ADLDS instance and then click Restart.
You ADLDS should be now running on SSL properly.
>
> On 11/10/2012 07:36:51 PM eLDAP wrote:
Step 1: Download Windows SDK for Windows 7
Here is the link: http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx
With the SDK installed, go to Start -> All Programs -> Microsoft Windows SDK v7.1 -> Windows SDK v7.1 Command Prompt. This will open up a command prompt with all of the necessary path variables set. For x64 machine, go to folder: C:\Program Files\Microsoft SDKs\Windows\v7.1\bin\x64
Step 2: Generate a CA root certificate
makecert -pe -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine
-a sha1 -sky signature -r "c:\tmp\Test and Dev Root Authority.cer"
This will create a root authority certificate, which you can use to sign new certificates
Step 3: Generate a CA-issued/signed certificate
makecert -pe -n "CN=ADLDS-TEST-MACHINE" -ss my -sr LocalMachine -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY
-ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider"
-sy 12 "c:\tmp\Test and Dev SSL.cer"
Note:
The above private keys of certificates are stored under directory C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
The public certificates are exported and stored in above xxx.cer files (having no private key inside).
You must log in as administrator to run makecert.exe, otherwise, saving the secret key into store is going to fail.
Now, both of these certificates including private keys have been created and installed to the local machine's certificate store. You can confirm this by checking mmc -> Certificates (Local Computer) -> Personal -> Certificates, you should see both certificates there.
That's it. You now have a sever certificate that can be used for SSL with a trusted root authority.
References:
|
|
|
|
