none
Can't enable LDAPS on Windows 2008 R2 domain controller

    Question

  • I tried to enable ldaps on a Windows 2008 r2 domain controller and I did following

    1. use certreq to generate a certificate request and submitted to our internal CA team

    2. I got a server certificate and also the internal CA root certificate

    3. I imported the internal CA root certificate into store Local Computer\Trusted Root Certification Authorities. Then I imported the server certificate into store Service\Local Computer\NTDS\Personal. Both certificates have no issue to be imported. I checked the certificates after imported and found there is no issue.

    4. I used ldp.exe trying to make ldaps connection on port 636 but get error

    Error <0x51>: Fail to connect

    I checked the system event log on the domain controller and found event 36886 is logged as following

    No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

    It seems the service can't find the server certificate but I did install it. Any suggestion?

    

    Tuesday, March 29, 2011 10:10 PM

Answers

All replies

  • Hi.

     

    Im fairly certain that you have to put it in the Certificates for the "Computer Account" and then Personal Folder.

    *Edit this KB explains it and verifies my initial comment http://support.microsoft.com/kb/321051*


    Oscar Virot
    • Edited by Oscar Virot Tuesday, March 29, 2011 10:17 PM added link to source
    • Proposed as answer by Oscar Virot Tuesday, March 29, 2011 10:59 PM
    • Unproposed as answer by Oscar Virot Thursday, March 31, 2011 9:26 PM
    Tuesday, March 29, 2011 10:14 PM
  • The server cert should be here:

    Certificates (Local Computer)\Personal\Certificates

    If you do not have a certificates folder under personal, it's because it gets created when you import your first certificate into the personal folder.  So, right click the Personal "folder" and select "All Tasks" -> "Import" and browse to the certificate you need.

    Let me know if this works.  If it doesn't we'll ask for some more info :)

    Thanks!

    Tuesday, March 29, 2011 10:49 PM
  • Thanks for the reply.

    First of all, I tried to put the server certificate under Local computer\personal but still the same error message returned.

    Second, the reason why I put it under Service\Local Computer\NTDS\Personal store at the first place is based on this article

    http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx

    It is supposed to be the improvement for Windows 2008 AD.

    Anyway the bottom line is I tried to put certificate on either locations but both return the same error. I don't know why the system can't find the certificate. Is it permission related?

    Wednesday, March 30, 2011 5:24 PM
  • Sweet, thanks for the link.  Learned something new!  This is listed for ADLDS though.  Are you trying to get this to work on an ADLDS server or a domain controller?  I just want to make sure we are clear.

    Also, what file extension does the file have that you are importing?

    Wednesday, March 30, 2011 5:46 PM
  • I'm also not aware of the Service\...\NTDS store option for AD.

    What names are listed on the cert both in the subject field and the subject alternate name field? AD won't use the cert if it doesn't find the local host name in the subject or first subject alternate name field.


    My Book - Active Directory, 4th Edition
    My Blog - www.briandesmond.com
    Wednesday, March 30, 2011 7:06 PM
  • That technet article is for LDS but I think it should be similar to DS. So I choose "Active Directory Service" when add certificate add-on instead of the LDS service. So for Sean's question, I am working on DS not LDS.

    The error message is very straightforward: the server can not find proper server certificate. So I am thinking maybe the certificate is not created correctly.

    As http://support.microsoft.com/kb/321051 mentioned, I need to enter FQDN in the request.inf. So here is the question. normally a distingished name for DC would looks like

    CN=dc01,OU=Domain Controllers,DC=subdomain,DC=rootdomain

    But when creating LDAPS connection, the target server is specified using FQDNS name which in this example would be dc01.subdomain.rootdomain

    My understanding the certificate is associated with the name. Then really which name should I entered in request.inf?

    I tried CN=dc01,OU=Domain Controllers,DC=subdomain,DC=rootdomain, and found when certificate created, it only take CN name. In another word, if I open the certificate, "issue to" is just dc01. I am expecting that would be a FQDN name or FQDNS name.

    Brian, for your question, I found there is subject altername name field in the certificate. The subject field value is CN=dc01

    Suggestion?


    Wednesday, March 30, 2011 8:36 PM
  • Hi.

    KB321051 states that "CN=fqdn" which gives "CN=dc01.subdomain.rootdomain".


    Oscar Virot
    Wednesday, March 30, 2011 8:48 PM
  • Stick with the typical FQDN, so use CN=DC.domain.com.  Let us know how that works for you!

    If it does not, please export the certificate in DER format (the extension will be .cer).  The private key is not necessary.  Then, open a command prompt and run:

    certutil -verify -urlfetch c:\cert\cert.cer >verify.txt (or where ever you exported it to)

    Then upload the information in the verify.txt file.

    Thanks!

    Thursday, March 31, 2011 2:28 PM
  • I recreated the certificate using dc01.subdomain.rootdomain as value for CN in request.inf.

    Then I found if I add it into services\ntds\personal, the error is the same, event 36886, the system can't find the certificate.

    So I delete the certificate from the service store and imported it into the traditional location localcomputer\personal. Then I found the error message changed. It comes 36886 and 36869 in pair. Following is the details

    Event 36869

    The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

    Event 36886

    No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.

    I also did the certificate verification as Sean suggested and following is the result.

    Issuer:
        E=isg@corporate.ca
        CN=Corp root signing certificate
        OU=Corporate Services - IT
        O=Corp
        L=Toronto
        S=Ontario
        C=CA
    Subject:
        CN=dc01.subdomain.rootdomain
    Cert Serial Number: 6b

    dwFlags = CA_VERIFY_FLAGS_CONSOLE_TRACE (0x20000000)
    dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
    ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
    HCCE_LOCAL_MACHINE
    CERT_CHAIN_POLICY_BASE
    -------- CERT_CHAIN_CONTEXT --------
    ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

    SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
    SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

    CertContext[0][0]: dwInfoStatus=101 dwErrorStatus=40
      Issuer: E=isg@corporate.ca, CN=Corp root signing certificate, OU=Corporate Services - IT, O=Corp, L=Toronto, S=Ontario, C=CA
      NotBefore: 31/03/2011 1:35 PM
      NotAfter: 27/09/2011 1:35 PM
      Subject: CN=dc01.subdomain.rootdomain
      Serial: 6b
      66 1b b6 99 db 91 16 c1 55 93 f4 cc e5 3e b3 51 6d 47 6d a5
      Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    CertContext[0][1]: dwInfoStatus=109 dwErrorStatus=0
      Issuer: E=isg@corporate.ca, CN=Corp root signing certificate, OU=Corporate Services - IT, O=Corp, L=Toronto, S=Ontario, C=CA
      NotBefore: 23/02/2004 3:34 PM
      NotAfter: 20/02/2014 3:34 PM
      Subject: E=isg@corporate.ca, CN=Corp root signing certificate, OU=Corporate Services - IT, O=Corp, L=Toronto, S=Ontario, C=CA
      Serial: 00
      df a9 f3 a8 6f 18 f0 95 92 54 66 8a 39 67 f7 45 9f a2 ff ef
      Element.dwInfoStatus = CERT_TRUST_HAS_EXACT_MATCH_ISSUER (0x1)
      Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
      Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
      ----------------  Certificate AIA  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate CDP  ----------------
      No URLs "None" Time: 0
      ----------------  Certificate OCSP  ----------------
      No URLs "None" Time: 0
      --------------------------------

    Exclude leaf cert:
      66 1b b6 99 db 91 16 c1 55 93 f4 cc e5 3e b3 51 6d 47 6d a5
    Full chain:
      d8 00 f1 da da c9 71 82 d0 1c 23 49 2a bd 18 10 9b 60 d7 36
      Issuer: E=isg@corporate.ca, CN=Corp root signing certificate, OU=Corporate Services - IT, O=Corp, L=Toronto, S=Ontario, C=CA
      NotBefore: 31/03/2011 1:35 PM
      NotAfter: 27/09/2011 1:35 PM
      Subject: CN=dc01.subdomain.rootdomain
      Serial: 6b
      66 1b b6 99 db 91 16 c1 55 93 f4 cc e5 3e b3 51 6d 47 6d a5
    The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
    ------------------------------------
    Revocation check skipped -- no revocation information available
    Cert is an End Entity certificate
    Cannot check leaf certificate revocation status
    CertUtil: -verify command completed successfully.

    I saw there are few error reported in the results. Could it be the root cause? The certificate is issued by our internal CA team. I just supply them the request file. I also have their CA root certificate installed in "local computer\Trusted Root Certification Authorities" store. Suggestion?

    Thursday, March 31, 2011 7:27 PM
  • Fixed.

    I followed the steps in this article to repair the certificate and now it is working

    http://www.folin.se/index.php/2007/12/05/the-ssl-server-credentials-certificate-does-not-have-a-private-key-information-property-attached-to-it-page-cannot-be-displayed-event-source-schannel-event-id-36869/michaelfolin

    So the summary is use FQ DNS name as value for CN in request file; The certificate has to be placed in "local computer\personal" store. The service account store might only apply LDS but not DS.

    Thanks for your guys help.

    James Lin

    • Marked as answer by blueinjazz Thursday, March 31, 2011 7:41 PM
    Thursday, March 31, 2011 7:41 PM