| Author |
Topic: How to enable SSL on an ADLDS instance running on Windows 7 |
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
 |
|
|
| How to enable SSL on an ADLDS instance running on Windows 7 |
Why does the damn SSL matter? It is required by ADLDS/ADAM for certain scenarios, for example, when you want to change the password over LDAP, like using Ldp.exe or Ldifde.exe.
First of all, you need a server certificate for ADLDS to run on SSL port. By saying that, the certificate must be marked for Server Authentication in the Intended Purposes.
There are basically two types of certificate: self-signed certificate and CA-issued certificate. There are various utility tools to generate a certificate like selssl.exe or certreq.exe but all of them require a lot of server resource like IIS, Domain Controller, or CA Authority. For a stand alone ADLDS instance running on an isolated computer, you can get certificate and CA all done by makecert.exe.
Note: The SSL requirement can be relaxed though by following the link: How to disable SSL secure connection requirement for password operation
|
|
|
|
|
|
|
eLDAP
member
offline  |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| Generate certificate and CA root by makecert.exe |
Step 1: Download Windows SDK for Windows 7
Here is the link: http://msdn.microsoft.com/en-us/windowsserver/bb980924.aspx
With the SDK installed, go to Start -> All Programs -> Microsoft Windows SDK v7.1 -> Windows SDK v7.1 Command Prompt. This will open up a command prompt with all of the necessary path variables set. For x64 machine, go to folder: C:\Program Files\Microsoft SDKs\Windows\v7.1\bin\x64
Step 2: Generate a CA root certificate
makecert -pe -n "CN=Test and Dev Root Authority" -ss my -sr LocalMachine
-a sha1 -sky signature -r "c:\tmp\Test and Dev Root Authority.cer"
This will create a root authority certificate, which you can use to sign new certificates
Step 3: Generate a CA-issued/signed certificate
makecert -pe -n "CN=ADLDS-TEST-MACHINE" -ss my -sr LocalMachine -a sha1 -sky exchange
-eku 1.3.6.1.5.5.7.3.1 -in "Test and Dev Root Authority" -is MY
-ir LocalMachine -sp "Microsoft RSA SChannel Cryptographic Provider"
-sy 12 "c:\tmp\Test and Dev SSL.cer"
Note:
The above private keys of certificates are stored under directory C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
The public certificates are exported and stored in above xxx.cer files (having no private key inside).
You must log in as administrator to run makecert.exe, otherwise, saving the secret key into store is going to fail.
Now, both of these certificates including private keys have been created and installed to the local machine's certificate store. You can confirm this by checking mmc -> Certificates (Local Computer) -> Personal -> Certificates, you should see both certificates there.
That's it. You now have a sever certificate that can be used for SSL with a trusted root authority.
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| ADLDS on SSL Error #1 -- No certificate installed. |
This is the scenario where the AD LDS server is running correctly on plain socket port but not on SSL port (even though netstat or dsdbutil indicating SSL port is being occupied).
Client application Ldp.exe:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ADLDS-TEST-MACHINE.
Client application Java Jndi:
javax.naming.CommunicationException: Root exception is java.net.SocketException:
Caused by: java.net.SocketException: Software caused connection abort: recv failed
at java.net.SocketInputStream.socketRead0(Native Method)
at java.net.SocketInputStream.read(SocketInputStream.java:147)
at com.sun.net.ssl.internal.ssl.InputRecord.readFully(InputRecord.java:293)
at com.sun.net.ssl.internal.ssl.InputRecord.read(InputRecord.java:331)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.readRecord(SSLSocketImpl.java:789)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.performInitialHandshake(SSLSocketImpl.java:1120)
at com.sun.net.ssl.internal.ssl.SSLSocketImpl.writeRecord(SSLSocketImpl.java:623)
at com.sun.net.ssl.internal.ssl.AppOutputStream.write(AppOutputStream.java:59)
Root Cause:
You had neither self-signed certificate nor CA-issued certificate installed for the ADLDS instance.
How to fix: Assigning a certificate to ADLDS
Step 1: Verify that your server certificate is ready
Click Start, right-click Command Prompt, and then click Run as administrator.
Type mmc to open Microsoft Management Console.
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Computer account and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates (Local Computer), expand Personal, and then expand Certificates.
Locate the certificate. In the details pane, verify that the certificate is marked for Server Authentication in the Intended Purposes column. In the details pane, verify that the computer's fully qualified host name appears in the Issued To column.
Step 2: Copy the certificate into ADLDS instance's personal store
Select certificate from step 1 and right click on it and then click Copy
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Service account and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Next.
In Service account, select the name of the ADLDS instance to which you want to connect over LDAPS, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates-Service, right click ADAM_instance_name\Personal, and then click Paste.
expand Certificates, the certificate should be listed.
Step 3: Grant read access to the certificate key file
Before you attempt to use the server authentication certificate with ADLDS, you must ensure that the Service Account (not the Administrator Account) under which the ADLDS instance is running has Read access to the certificate that you installed or imported. The default directory is:
C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
Navigate to the directory where the installed or imported certificates are stored.
Right-click the appropriate server authentication certificate (identify by matching timestamp between Date modified and certificate's Valid from), and then click Properties.
On the Security tab, click Edit.
In the Permissions dialog box, click Add.
In the Select Users or Groups dialog box, type Network Service, and then click OK.
Assign Read & Execute rights to the service account running ADLDS.
Step 4: Restart the ADLDS service to activate the new certificate
Go to Computer Management -> Services panel.
Select your ADLDS instance and then click Restart.
You ADLDS should be now running on SSL properly.
|
|
|
|
|
|
|
eLDAP
member
offline |
| |
| posts: |
107 |
| joined: |
08/02/2006 |
| from: |
Austin, TX |
|
|
|
|
|
| ADLDS on SSL Error #2 -- No trusted certificate chain. |
This is the scenario where the AD LDS server is runing correctly on SSL port but the client fails to establish the SSL connection.
Client application Ldp.exe:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to ADLDS-TEST-MACHINE.
Client application Java Jndi:
Root exception is javax.net.ssl.SSLHandshakeException:
java.security.cert.CertificateException: Untrusted Server Certificate Chain
at com.sun.net.ssl.X509TrustManagerJavaxWrapper.checkServerTrusted(SSLSecurity.java:600)
at com.sun.net.ssl.internal.ssl.ClientHandshaker.serverCertificate(ClientHandshaker.java:1066)
Root Cause:
ADLDS running on self-signed certificate: you failed to get a copy of the public certificate and import into your client side's trusted store.
ADLDS running on CA-issued certificate: the CA is not well-known as its root certificate was not inside your trusted store yet.
How to fix:
Export the certificate (if self-signed) or CA's root certificate(if CA-issued) into a portable file (no private key inside this file), let's say AdLdsCa.cer;
Copy file AdLdsCa.cer into client side computer;
Import file AdLdsCa.cer into JVM's trust store <JRE>/lib/security/cacerts for the target JAVA client application, or
Import file AdLdsCa.cer into computer's rust store MMC/Certificates(Local Computer)/Trusted Root Certification Authorities/Certificates for all Microsoft client applications, like Ldp.exe or Softerra Browser
After fix, you should see message similar like this:
ld = ldap_sslinit("ADLDS-TEST-MACHINE", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 0 = ldap_connect(hLdap, NULL);
Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
Host supports SSL, SSL cipher strength = 128 bits
Established connection to ADLDS-TEST-MACHINE.
Retrieving base DSA information...
Getting 1 entries:
Dn: (RootDSE)
...
|
|
|
|
|
|
|
ronenfe
member
offline |
| |
| posts: |
3 |
| joined: |
06/27/2013 |
| from: |
Center |
|
|
|
|
|
| thanks, you are a life saver |
You gave the only information available in the internet on how to create certificates for ad lds.
It took me some time but I managed to do it in my windows 2008 server.
Just a few clarifications to others:
"ADLDS-TEST-MACHINE" in the examples should be "<your computer name>.<your domain name>"
don't use ldp in the begining because the error message is the same for both errors you described.
I had to do all the steps mentioned in the posts it's not enough to follow only the first post.
I think Java Jndi means an application based on java Jndi like Softerra. there is no application called Jndi.
I used Softerra and got the ADLDS on SSL Error #2 he decribes.
To solve it I had to export the CA root certificate and not the issued certificate. If anyone needs help you can ask me.
|
|
|
|
|
|
|
ronenfe
member
offline |
| |
| posts: |
3 |
| joined: |
06/27/2013 |
| from: |
Center |
|
|
|
|
|
| thanks, you are a life saver |
You gave the only information available in the internet on how to create certificates for ad lds.
It took me some time but I managed to do it in my windows 2008 server.
Just a few clarifications to others:
"ADLDS-TEST-MACHINE" in the examples should be "<your computer name>.<your domain name>"
don't use ldp in the begining because the error message is the same for both errors you described.
I had to do all the steps mentioned in the posts it's not enough to follow only the first post.
I think Java Jndi means an application based on java Jndi like Softerra. there is no application called Jndi.
I used Softerra and got the ADLDS on SSL Error #2 he decribes.
To solve it I had to export the CA root certificate and not the issued certificate. If anyone needs help you can ask me.
|
|
|
|
|
|
|
ronenfe
member
offline |
| |
| posts: |
3 |
| joined: |
06/27/2013 |
| from: |
Center |
|
|
|
|
|
| thanks, you are a life saver |
You gave the only information available in the internet on how to create certificates for ad lds.
It took me some time but I managed to do it in my windows 2008 server.
Just a few clarifications to others:
"ADLDS-TEST-MACHINE" in the examples should be "<your computer name>.<your domain name>"
don't use ldp in the begining because the error message is the same for both errors you described.
I had to do all the steps mentioned in the posts it's not enough to follow only the first post.
I think Java Jndi means an application based on java Jndi like Softerra. there is no application called Jndi.
I used Softerra and got the ADLDS on SSL Error #2 he decribes.
To solve it I had to export the CA root certificate and not the issued certificate. If anyone needs help you can ask me.
|
|
|
|
|
|
|
|
Email To Friend | 
Set Alert To This Topic
New Topic | 
Post Reply 
posted on: 11/10/2012 07:30:47 PM
Edit
Quote
Report
Profile
Reply