none
Installing SSL-certificate for LDAPS on Domaincontroller

    Question

  • Hi,

    i try to install a ssl-certificate fos LDAPS / SSL over LDAP on Windows Server 2008 Domain Controller (SP1). i refered to different articles, mainly the instructions in this one (http://support.microsoft.com/kb/321051) end already when i start to create the request.

    certreq request.inf request.req -machine

    ---------------------------
    Certificate Request Processor
    ---------------------------
    Expected INF file section name 0xe0000000 (INF: -536870912)
    request.inf
    ---------------------------
    OK   
    ---------------------------

    request.inf is edited (as in kb-article described) with appropriate params.

    Also i cannot find an appropriate option (SSL for LDAP / DC) at our preferred certificate-provider PSW-Group.

    Any Help appreciated.

    Best Regards, Jörg

    P.S. Also am not sure, if it Directory Services is the right forum for this post


    • Edited by blenderONE Friday, March 30, 2012 12:40 PM
    • Changed type blenderONE Saturday, April 07, 2012 7:25 AM
    Friday, March 30, 2012 12:21 PM

Answers

  • AND THE SOLUTION IS:

    - Buying an adecuate certificate - poor, that ms doesn't support widely userd ssl-certs and does need another extra treatment. Anyway, the cert, issued by Commodo is working. Help from PSW-Group was great (Thanks, Rainer).

    - Doing the cert-request with IIS-Manager, completing it as well. (Talking about 3rd party-certs, just to remind you)

    - The trick is to export this cert out of IIS as .pfx an then importing it in the certification console on the dc's.

    Eh voilà. LDAPS running. No messing around with any missing or additional information/parameters/something sick, unnecessary crap to add or what ever in the certutil, which on the other side, seems to be a powerful tool.

    Hope, this helps somebody if he runs in an issue like this.

    Thanks again for all your comments.

    Happy Easter,

    Jörg

    P.S.: Another "sorry", that i couldn't make clear that i didn't need help with FQDNs, CNs, any other LDAP-like syntax-stuff. I appreciate your help, but i also thought, that there is to see on which points i really needed help. Before all, referring to all the posts and KB-articles, i repeatedly pointed you to. ........I don't know if this is more a forum to help others or to collect "posting-points". ;-)
    • Marked as answer by blenderONE Saturday, April 07, 2012 7:31 AM
    Saturday, April 07, 2012 7:31 AM

All replies

  • Hello,

    Please refer the articles below which explains how to accomplish this.

    http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

    http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 30, 2012 12:38 PM
  • Hi Prashant,

    thanks for your immediate answer. Does that mean i have no other chance than implementing a CA/PKI in my domain/our DC? No 3rd party certificates?

    Best, Jörg

    Friday, March 30, 2012 12:53 PM
  • You can use 3rd party certificates. That should not be a problem.

    However the certificate which you are using has to meet some pre-requisties. which is mentioned in http://support.microsoft.com/kb/321051.

    So did check all the pre-requisites are getting met on the certificate which you are using?

    Additionally follow below thread.

    http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/be63bfb5-6578-4590-8369-4488e9952750/

    Regards,

    _Prashant_


    MCSA|MCITP SA|Microsoft Exchange 2003 Blog - http://prashant1987.wordpress.com Disclaimer: This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 30, 2012 1:09 PM
  • I already mentioned http://support.microsoft.com/kb/321051

    And i posted the errormessage when i proceed. At this point i need help.

    As i already mentioned too, is that i read through countless posts and kb-articles. And this more and more partially conflicting informations are not getting me through the process.

    I need concrete answer on my described problem.

    Thanks.


    • Edited by blenderONE Friday, March 30, 2012 1:24 PM
    Friday, March 30, 2012 1:20 PM
  • Hi,

    Post the contents in the request.inf file.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 30, 2012 2:10 PM
  • managed to get it working.

    Right now im having to add: "Organization, Common Name (not the DC-path), Email, City, Province" in the .csr aka request.ini according to certification-provider.

    Referring to "certreq -new /?" it's supposed to be like following in the request.inf file?

    [Extensions]
    _continue_ = "EMail=User@Domain.com&"

    but organization, City, Province and Common Name i still don't know.

    complete request.inf:

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=dc001......,dc=corp,dc=mydomain,dc=local"
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [Extensions]

    _continue_ = "EMail=User@Domain.com&"


    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1

    ;-----------------------------------------------

    Friday, March 30, 2012 2:59 PM
  • Take a look at below article, if it doesn't help you, i suggest you to post to dedicated security forum which deals with the certificates relates issues.

    http://support.microsoft.com/kb/938703

    http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

    Security forum for certificate relates issues http://social.technet.microsoft.com/Forums/en/winserversecurity/threads



    Awinish Vishwakarma - MVP-DS

    My Blog: awinish.wordpress.com

    Disclaimer This posting is provided AS-IS with no warranties/guarantees and confers no rights.

    Friday, March 30, 2012 3:14 PM

  • Subject = "CN=dc001......,dc=corp,dc=mydomain,dc=local"

    Hi,

    Change the above line to FQDN (fully qualified domain name).

    Change it form DN: "CN=dc001......,dc=corp,dc=mydomain,dc=local" to FQDN: DCNMAE.domain.local and let us know the result.


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 30, 2012 3:19 PM
  • actually it was the dc-name. error-message of new try:---------------------------
    Certificate Request Processor
    ---------------------------
    The string contains an invalid X500 name attribute key, oid, value or delimiter. 0x80092023 (-2146885597)
    request.inf([NewRequest] Subject = "FQDN=dc001....,dc=corp,dc=mydomain,dc=net")
    ---------------------------
    OK   
    ---------------------------
    Friday, March 30, 2012 3:23 PM
  • Hi,

    It should be Subject = "CN=DCNMAE.domain.local" , i.e FQDN of the DC.

    How to find out FQDN: http://www.petri.co.il/forums/showthread.php?t=15529


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 30, 2012 3:27 PM
  • again: (*** are placeholders, which i use only here)

    ;----------------- request.inf -----------------

    [Version]

    Signature="$Windows NT$

    [NewRequest]

    Subject = "CN=dc001***,dc=corp,dc=***,dc=net"
    KeySpec = 1
    KeyLength = 2048
    Exportable = TRUE
    MachineKeySet = TRUE
    SMIME = False
    PrivateKeyArchive = FALSE
    UserProtected = FALSE
    UseExistingKeySet = FALSE
    ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
    ProviderType = 12
    RequestType = PKCS10
    KeyUsage = 0xa0

    [Extensions]

    _continue_ = "EMail=***=placeolders&"
    _continue_ = "DirectoryName=CN=corp,DC=***,DC=net&"
    _continue_ = "O=***"
    _continue_ = "S=***"
    _continue_ = "L=***"


    [EnhancedKeyUsageExtension]

    OID=1.3.6.1.5.5.7.3.1

    ;-----------------------------------------------

    the "_continue_ = "O=are also 'placeholded'" others, two.

    output of certification authority: test of request.req - file:


    CN=dc001-**** (it's placeholders from me, just to remind you)
    OU=
    O=
    POBox=
    STREET=
    STREET=
    STREET=
    L=
    S=
    PostalCode=
    C=
    Email=
    Phone=

    what they want is: o for organization, s for city, Email for mail-address, l for province. am not sure, if this is the right way, cause the request.ini doesn't shoot errors anymore, but obviousely still not fulfill their demands???

    Friday, March 30, 2012 3:57 PM
  • Please use Security forum and ask your question for better assistance on the same.

    Here is Security forum link:

    http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


    Best Regards,

    Sandesh Dubey.

    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Friday, March 30, 2012 5:36 PM
  • Hi,

    There is difference between the FQDN and DN. Do not use DN path in Subject line, it is used for LDAP queries.

    DN path : cn=Michael Sandt,ou=Consultants,ou=colleague,dc=cerrotorre,dc=de
    Distinguished Names: http://www.selfadsi.org/ldap-path.htm
    .
    FQDN: somehost.example.com
    What is a fully qualified domain name (FQDN)? : http://en.wikipedia.org/wiki/Fully_qualified_domain_name
    How to find out FQDN: http://www.petri.co.il/forums/showthread.php?t=15529
    .

    Check the request.inf file in KB, it says, Subject = "CN=<DC FQDN>" ; replace with the FQDN of the DC

    E.g : Subject= "CN=servername.domainname.local"
    .
    If issue perssist with  correct FQDN, post unedited request.inf file or post the question in Security forum: http://social.technet.microsoft.com/Forums/en-US/winserversecurity/threads


    Best Regards,

    Abhijit Waikar.
    MCSA 2003 | MCSA:Messaging | MCTS | MCITP:Server Administrator | Microsoft Community Contributor | My Blog

    Disclaimer: This posting is provided "AS IS" with no warranties or guarantees , and confers no rights.

    Saturday, March 31, 2012 10:53 AM
  • AND THE SOLUTION IS:

    - Buying an adecuate certificate - poor, that ms doesn't support widely userd ssl-certs and does need another extra treatment. Anyway, the cert, issued by Commodo is working. Help from PSW-Group was great (Thanks, Rainer).

    - Doing the cert-request with IIS-Manager, completing it as well. (Talking about 3rd party-certs, just to remind you)

    - The trick is to export this cert out of IIS as .pfx an then importing it in the certification console on the dc's.

    Eh voilà. LDAPS running. No messing around with any missing or additional information/parameters/something sick, unnecessary crap to add or what ever in the certutil, which on the other side, seems to be a powerful tool.

    Hope, this helps somebody if he runs in an issue like this.

    Thanks again for all your comments.

    Happy Easter,

    Jörg

    P.S.: Another "sorry", that i couldn't make clear that i didn't need help with FQDNs, CNs, any other LDAP-like syntax-stuff. I appreciate your help, but i also thought, that there is to see on which points i really needed help. Before all, referring to all the posts and KB-articles, i repeatedly pointed you to. ........I don't know if this is more a forum to help others or to collect "posting-points". ;-)
    • Marked as answer by blenderONE Saturday, April 07, 2012 7:31 AM
    Saturday, April 07, 2012 7:31 AM
  • Hi blenderONE,

    Can you elaborate on how you got this working?

    I need to do the same, but I can't wrap my head around all the info in Microsoft KB's and other stuff on the internet.

    Many thanks,

    Koenraad.

    Tuesday, June 19, 2012 3:30 PM