Solved

Configure LDAPS

Posted on 2013-06-04
7
804 Views
Last Modified: 2013-07-06
Experts,

I'm trying to configure secure LDAP for authentication for cloud services using port 636.  I am trying to issue the certificate on a 2003 Server that is the DC and is running certificate services.  I came across this article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;321051, which I have tried to complete.  I get an error when trying to accept the certificate.  It says: Certificate Request Processor: Cannot find object or property. 0x80092004.  I have also attached the .inf file used to generate the cert request.  Any advice or direction is much appreciated.  Not sure where I goofed.  Thanks
request.txt
0
Comment
Question by:admintj06
7 Comments
 
LVL 36

Expert Comment

by:Jian An Lim
Comment Utility
it is certificate related question ...

did you Submit the request to a CA?
which CA u used? internal or external?
if internal CA, did you own it?



the Certnew.cer is the OUTPUT from the CA...
0
 

Author Comment

by:admintj06
Comment Utility
Yes, it is a certificate issue.  The request was issued to an internal CA (as noted initially).  The internal CA is a Windows 2003 server running Certificate Services.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
The server must have a certificate stored in the local machine store that meets the following criteria:

Certificate Contains the Server Authentication OID: 1.3.6.1.5.5.7.3.1
The Subject name or the first name in the SAN must match the FQDN of the host machine.
The Certificate passes the chaining validation test.
The host machine account has access to the private key

Troubleshooting LDAP Over SSL
http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

there is also mentioned for Primary DNS suffix.
http://social.technet.microsoft.com/Forums/en-US/configmgribcm/thread/e09a36ca-6b60-4b54-9607-42c60efe590b

Also i suggest you run through these useful article

Overall - LDAP over SSL (LDAPS) Certificate
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

Request a computer certificate for server authentication (step by step)
http://technet.microsoft.com/en-us/library/cc740173%28WS.10%29.aspx
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 31

Expert Comment

by:Paranormastic
Comment Utility
The .inf looks OK, although you don't really need the last couple lines for the enhanced key usage extension & the OID - that should be provided by your certificate template & providing it in the request can sometimes be problematic.

When running certreq -accept filename.cer make sure you are running from an elevated admin cmd box.

Instead of using the certreq -accept method you can also try doing this (also from elevated admin cmd box) :
certutil -addstore my filename.cer
certutil -dump filename.cer | findstr /i /c:"serial"
(copy the serial number value)
certutil -repairstore my PASTE_SERIAL_NUMBER

Also make sure your CA certs are trusted:
certutil -addstore root root.cer
certutil -addstore ca non-root-ca.cer

If still problems, do a general sanity check - check the validity period & name on the certificate.  Also check the same on the box you are installing to. Remember to check the month & year as well when checking the time.  Check that the name specified in the CN value is valid for this box, including the DNS suffix.

If still giving you problems, check your event logs too and post back.
0
 

Accepted Solution

by:
admintj06 earned 0 total points
Comment Utility
Thanks for all of the comments and suggestions.  I believe I was doing everything correctly.  I also had a certificate for the domain controller already issued and after digging further, found the ACLs on the private keys were completely empty.  After resetting those, everything worked properly.
0
 
LVL 61

Expert Comment

by:btan
Comment Utility
Thanks for sharing. Hope we have help much.
0
 

Author Closing Comment

by:admintj06
Comment Utility
Resolved problem.
0

Featured Post

IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
Since pre-biblical times, humans have sought ways to keep secrets, and share the secrets selectively.  This article explores the ways PHP can be used to hide and encrypt information.
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

763 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now