| |
ADLDS on SSL Error #2 -- No trusted certificate chain. |
|
|
Subject: ADLDS on SSL Error #2 -- No trusted certificate chain.
Author: eLDAP
In response to: ADLDS on SSL Error #1 -- No certificate installed.
Posted on: 11/10/2012 08:14:00 PM
This is the scenario where the AD LDS server is runing correctly on SSL port but the client fails to establish the SSL connection.
Client application Ldp.exe:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ADLDS-TEST-MACHINE.
Client application Java Jndi:
Root exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Untrusted Server Certificate Chain
at com.sun.net.ssl.X509TrustManagerJavaxWrapper.checkServerTrusted(SSLSecurity.java:600)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1066)
Root Cause:
ADLDS running on self-signed certificate: you failed to get a copy of the public certificate and import into your client side's trusted store.
ADLDS running on CA-issued certificate: the CA is not well-known as its root certificate was not inside your trusted store yet.
How to fix:
Export the certificate (if self-signed) or CA's root certificate(if CA-issued) into a portable file (no private key inside this file), let's say AdLdsCa.cer;
Copy file AdLdsCa.cer into client side computer;
Import file AdLdsCa.cer into JVM's trust store <JRE>/lib/security/cacerts for the target JAVA client application, or
Import file AdLdsCa.cer into computer's rust store MMC/Certificates(Local Computer)/Trusted Root Certification Authorities/Certificates for all Microsoft client applications, like Ldp.exe or Softerra Browser
After fix, you should see message similar like this:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ADLDS-TEST-MACHINE.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
...
>
> On 11/10/2012 07:57:05 PM eLDAP wrote:
This is the scenario where the AD LDS server is running correctly on plain socket port but not on SSL port (even though netstat or dsdbutil indicating SSL port is being occupied).
Client application Ldp.exe:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ADLDS-TEST-MACHINE.
Client application Java Jndi:
javax.naming.CommunicationException: Root exception is java.net.SocketException:
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:147)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
Root Cause:
You had neither self-signed certificate nor CA-issued certificate installed for the ADLDS instance.
How to fix: Assigning a certificate to ADLDS
Step 1: Verify that your server certificate is ready
Click Start, right-click Command Prompt, and then click Run as administrator.
Type mmc to open Microsoft Management Console.
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Computer account and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates (Local Computer), expand Personal, and then expand Certificates.
Locate the certificate. In the details pane, verify that the certificate is marked for Server Authentication in the Intended Purposes column. In the details pane, verify that the computer's fully qualified host name appears in the Issued To column.
Step 2: Copy the certificate into ADLDS instance's personal store
Select certificate from step 1 and right click on it and then click Copy
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Service account and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Next.
In Service account, select the name of the ADLDS instance to which you want to connect over LDAPS, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates-Service, right click ADAM_instance_name\Personal, and then click Paste.
expand Certificates, the certificate should be listed.
Step 3: Grant read access to the certificate key file
Before you attempt to use the server authentication certificate with ADLDS, you must ensure that the Service Account (not the Administrator Account) under which the ADLDS instance is running has Read access to the certificate that you installed or imported. The default directory is:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Navigate to the directory where the installed or imported certificates are stored.
Right-click the appropriate server authentication certificate (identify by matching timestamp between Date modified and certificate's Valid from), and then click Properties.
On the Security tab, click Edit.
In the Permissions dialog box, click Add.
In the Select Users or Groups dialog box, type Network Service, and then click OK.
Assign Read & Execute rights to the service account running ADLDS.
Step 4: Restart the ADLDS service to activate the new certificate
Go to Computer Management -> Services panel.
Select your ADLDS instance and then click Restart.
You ADLDS should be now running on SSL properly.
References:
|
|
|
|
