Solved

Configure LDAPS

Posted on 2013-06-04
7
843 Views
Last Modified: 2013-07-06
Experts,

I'm trying to configure secure LDAP for authentication for cloud services using port 636.  I am trying to issue the certificate on a 2003 Server that is the DC and is running certificate services.  I came across this article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;321051, which I have tried to complete.  I get an error when trying to accept the certificate.  It says: Certificate Request Processor: Cannot find object or property. 0x80092004.  I have also attached the .inf file used to generate the cert request.  Any advice or direction is much appreciated.  Not sure where I goofed.  Thanks
request.txt
0
Comment
Question by:admintj06
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
7 Comments
 
LVL 37

Expert Comment

by:Jian An Lim
ID: 39221627
it is certificate related question ...

did you Submit the request to a CA?
which CA u used? internal or external?
if internal CA, did you own it?



the Certnew.cer is the OUTPUT from the CA...
0
 

Author Comment

by:admintj06
ID: 39221745
Yes, it is a certificate issue.  The request was issued to an internal CA (as noted initially).  The internal CA is a Windows 2003 server running Certificate Services.
0
 
LVL 64

Expert Comment

by:btan
ID: 39222438
The server must have a certificate stored in the local machine store that meets the following criteria:

Certificate Contains the Server Authentication OID: 1.3.6.1.5.5.7.3.1
The Subject name or the first name in the SAN must match the FQDN of the host machine.
The Certificate passes the chaining validation test.
The host machine account has access to the private key

Troubleshooting LDAP Over SSL
http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

there is also mentioned for Primary DNS suffix.
http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/e09a36ca-6b60-4b54-9607-42c60efe590b

Also i suggest you run through these useful article

Overall - LDAP over SSL (LDAPS) Certificate
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Request a computer certificate for server authentication (step by step)
http://technet.microsoft.com/en-us/library/cc740173%28WS.10%29.aspx
0
Are your AD admin tools letting you down?

Managing Active Directory can get complicated.  Often, the native tools for managing AD are just not up to the task.  The largest Active Directory installations in the world have relied on one tool to manage their day-to-day administration tasks: Hyena. Start your trial today.

 
LVL 31

Expert Comment

by:Paranormastic
ID: 39230703
The .inf looks OK, although you don't really need the last couple lines for the enhanced key usage extension & the OID - that should be provided by your certificate template & providing it in the request can sometimes be problematic.

When running certreq -accept filename.cer make sure you are running from an elevated admin cmd box.

Instead of using the certreq -accept method you can also try doing this (also from elevated admin cmd box) :
certutil -addstore my filename.cer
certutil -dump filename.cer | findstr /i /c:"serial"
(copy the serial number value)
certutil -repairstore my PASTE_SERIAL_NUMBER

Also make sure your CA certs are trusted:
certutil -addstore root root.cer
certutil -addstore ca non-root-ca.cer

If still problems, do a general sanity check - check the validity period & name on the certificate.  Also check the same on the box you are installing to. Remember to check the month & year as well when checking the time.  Check that the name specified in the CN value is valid for this box, including the DNS suffix.

If still giving you problems, check your event logs too and post back.
0
 

Accepted Solution

by:
admintj06 earned 0 total points
ID: 39239920
Thanks for all of the comments and suggestions.  I believe I was doing everything correctly.  I also had a certificate for the domain controller already issued and after digging further, found the ACLs on the private keys were completely empty.  After resetting those, everything worked properly.
0
 
LVL 64

Expert Comment

by:btan
ID: 39250018
Thanks for sharing. Hope we have help much.
0
 

Author Closing Comment

by:admintj06
ID: 39303727
Resolved problem.
0

Featured Post

Does Powershell have you tied up in knots?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Active Directory security has been a hot topic of late, and for good reason. With 90% of the world’s organization using this system to manage access to all parts of their IT infrastructure, knowing how to protect against threats and keep vulnerabil…
After seeing many questions for JRNL_WRAP_ERROR for replication failure, I thought it would be useful to write this article.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

717 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question