| |
thanks, you are a life saver |
|
|
Subject: thanks, you are a life saver
Author: ronenfe
In response to: ADLDS on SSL Error #2 -- No trusted certificate chain.
Posted on: 06/27/2013 02:11:26 PM
You gave the only information available in the internet on how to create certificates for ad lds.
It took me some time but I managed to do it in my windows 2008 server.
Just a few clarifications to others:
"ADLDS-TEST-MACHINE" in the examples should be "<your computer name>.<your domain name>"
don't use ldp in the begining because the error message is the same for both errors you described.
I had to do all the steps mentioned in the posts it's not enough to follow only the first post.
I think Java Jndi means an application based on java Jndi like Softerra. there is no application called Jndi.
I used Softerra and got the ADLDS on SSL Error #2 he decribes.
To solve it I had to export the CA root certificate and not the issued certificate. If anyone needs help you can ask me.
>
> On 11/10/2012 08:14:00 PM eLDAP wrote:
This is the scenario where the AD LDS server is runing correctly on SSL port but the client fails to establish the SSL connection.
Client application Ldp.exe:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ADLDS-TEST-MACHINE.
Client application Java Jndi:
Root exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Untrusted Server Certificate Chain
at com.sun.net.ssl.X509TrustManagerJavaxWrapper.checkServerTrusted(SSLSecurity.java:600)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1066)
Root Cause:
ADLDS running on self-signed certificate: you failed to get a copy of the public certificate and import into your client side's trusted store.
ADLDS running on CA-issued certificate: the CA is not well-known as its root certificate was not inside your trusted store yet.
How to fix:
Export the certificate (if self-signed) or CA's root certificate(if CA-issued) into a portable file (no private key inside this file), let's say AdLdsCa.cer;
Copy file AdLdsCa.cer into client side computer;
Import file AdLdsCa.cer into JVM's trust store <JRE>/lib/security/cacerts for the target JAVA client application, or
Import file AdLdsCa.cer into computer's rust store MMC/Certificates(Local Computer)/Trusted Root Certification Authorities/Certificates for all Microsoft client applications, like Ldp.exe or Softerra Browser
After fix, you should see message similar like this:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ADLDS-TEST-MACHINE.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
...
References:
|
|
|
|
