Ureader.com  
Microsoft software help and Community
   home   |   control panel login   |   archive   |  
 
platform
active.directory
adsi
adsi.iis-admin
base
com_ole
complus_mts
component_svcs
database
directx
gdi
graphics_mm
internet.client
internet.server
internet.server.isapi-dev
localization
mapi
messaging
msi
mslayerforunicode
multimedia
networking
networking.ipv6
sdk_install
security
shell
telephony.tapi_2
telephony.tapi_3
telephony.tsp
telephony.wte
tools
ui
ui_shell
win_base_svcs
win16
  
 
date: Thu, 12 Jun 2008 18:25:03 -0500,    group: microsoft.public.platformsdk.active.directory        back       


Problems enabling LDAP over SSL for Active Directory    
Hi,
I'm trying to enable LDAP over SSL for an Active Directory lab environment  and having problems.  I followed this KB article to create the request:
http://support.microsoft.com/kb/321051

I don't have a CA so I'm using openSSL and basically following the  instructions from the following website to sign my above certificate  request.
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

I followed the following KB article to enable error and warning messages(set the value to 0x0007):
http://support.microsoft.com/kb/260729

I also setup Wireshark to monitor the LDAPS open connection via ldp.exe.417	2.724599	10.146.235.65	10.146.235.223	TCP	56926 > ldaps [SYN] Seq=0  Win=8192 Len=0 MSS=1460 WS=8
418	2.724773	10.146.235.223	10.146.235.65	TCP	ldaps > 56926 [SYN, ACK]  Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0
419	2.724924	10.146.235.65	10.146.235.223	TCP	56926 > ldaps [ACK] Seq=1  Ack=1 Win=65536 Len=0
420	2.725301	10.146.235.65	10.146.235.223	SSL	Client Hello
421	2.734732	10.146.235.223	10.146.235.65	TCP	ldaps > 56926 [FIN, ACK]  Seq=1 Ack=111 Win=65425 Len=0
422	2.734803	10.146.235.223	10.146.235.65	TCP	ldaps > 56926 [RST, ACK]  Seq=2 Ack=111 Win=0 Len=0
424	2.737535	10.146.235.65	10.146.235.223	TCP	56926 > ldaps [ACK] Seq=111  Ack=2 Win=65536 Len=0
425	2.737612	10.146.235.223	10.146.235.65	TCP	ldaps > 56926 [RST] Seq=2  Win=0 Len=0

So I created the certificate as instructed in KB321051, I signed it withopenssl, and then accepted it as instructed in the KB321051 article. Thesigned certificate is valid from the MMC snap-in, with a valid trusted  root cert.  The client also has the trusted root cert installed.  Sending  a connection request fails as noted by the captured traffic above.  The only error I get from ldp.exe is a non descript "Error <0x51>: Fail to  connect to [host]".  I do receive an event ID of 36872 on the AD server whenever I try to connect.  But according to KB article 261196 this is  expected, "In domains where no enterprise CA exists, this is an expectedevent and you can safely ignore the message."

Am I missing something glaring? Any help would be greatly appreciated!! Thanks.


Nate
date: Thu, 12 Jun 2008 18:25:03 -0500   author:   am

Re: Problems enabling LDAP over SSL for Active Directory    
Do you see an error in the event log from schannel on the client machine 
where you ran ldp?

Joe K.
-- 
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<nmaier@nospam.nospam> wrote in message 
news:op.ucnsn12af53ff4@nmaier1.unimax.com...
Hi,
I'm trying to enable LDAP over SSL for an Active Directory lab environment
and having problems.  I followed this KB article to create the request:
http://support.microsoft.com/kb/321051

I don't have a CA so I'm using openSSL and basically following the
instructions from the following website to sign my above certificate
request.
http://www.dylanbeattie.net/docs/openssl_iis_ssl_howto.html

I followed the following KB article to enable error and warning messages
(set the value to 0x0007):
http://support.microsoft.com/kb/260729

I also setup Wireshark to monitor the LDAPS open connection via ldp.exe...
417 2.724599 10.146.235.65 10.146.235.223 TCP 56926 > ldaps [SYN] Seq=0
Win=8192 Len=0 MSS=1460 WS=8
418 2.724773 10.146.235.223 10.146.235.65 TCP ldaps > 56926 [SYN, ACK]
Seq=0 Ack=1 Win=16384 Len=0 MSS=1460 WS=0
419 2.724924 10.146.235.65 10.146.235.223 TCP 56926 > ldaps [ACK] Seq=1
Ack=1 Win=65536 Len=0
420 2.725301 10.146.235.65 10.146.235.223 SSL Client Hello
421 2.734732 10.146.235.223 10.146.235.65 TCP ldaps > 56926 [FIN, ACK]
Seq=1 Ack=111 Win=65425 Len=0
422 2.734803 10.146.235.223 10.146.235.65 TCP ldaps > 56926 [RST, ACK]
Seq=2 Ack=111 Win=0 Len=0
424 2.737535 10.146.235.65 10.146.235.223 TCP 56926 > ldaps [ACK] Seq=111
Ack=2 Win=65536 Len=0
425 2.737612 10.146.235.223 10.146.235.65 TCP ldaps > 56926 [RST] Seq=2
Win=0 Len=0

So I created the certificate as instructed in KB321051, I signed it with
openssl, and then accepted it as instructed in the KB321051 article. The
signed certificate is valid from the MMC snap-in, with a valid trusted
root cert.  The client also has the trusted root cert installed.  Sending
a connection request fails as noted by the captured traffic above.  The
only error I get from ldp.exe is a non descript "Error <0x51>: Fail to
connect to [host]".  I do receive an event ID of 36872 on the AD server
whenever I try to connect.  But according to KB article 261196 this is
expected, "In domains where no enterprise CA exists, this is an expected
event and you can safely ignore the message."

Am I missing something glaring? Any help would be greatly appreciated!!
Thanks.


Nate
date: Thu, 12 Jun 2008 22:34:06 -0500   author:   Joe Kaplan

Re: Problems enabling LDAP over SSL for Active Directory    
The only message I received client side was Event ID 36867: Creating an  
SSL client credential.

Nate

On Thu, 12 Jun 2008 22:34:06 -0500, Joe Kaplan  
 wrote:

> Do you see an error in the event log from schannel on the client machine
> where you ran ldp?
>
> Joe K.
date: Fri, 13 Jun 2008 10:36:10 -0500   author:   am

Google
 
Web ureader.com


    COPYRIGHT 2007, YARDI TECHNOLOGY LIMITED, ALL RIGHT RESERVE  |   contact us