SSL Setup for Active Directory

  • Thread starter Thread starter Manoj
  • Start date Start date
M

Manoj

Sir,
To enable SSL with Active Directory I followed the procedure as
mentioned in the microsoft's site viz. "HOW TO: Enable Secure Socket Layer
(SSL) Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]

Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server. All
Domain Controllers in the forest will automatically enroll for and install
the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.

But after all these steps, to my surprise I found that, when I connected to
port 636 using ldp.exe, the connection failed, while the connection to Ldap
port 389 is successful.

Looking forward to your speedy help on this issue....

Thanks,

with hope,

Manoj S P
 
There are a few possibilites. One is that the policy hasn't been applied
yet. The other is that there are client side checks that need to be
satisfied before the connection can be established. In particular the name
you specify to connect to must be in the server certificate the server
provides during the SSL handshake. When using ldp did you put the full DNS
name of the server when you specified the server to contact? The other
conditition is that the server certificate returned must be trusted in a
trusted CA path. If you are running ldp on the DC the CA path for your CA
should be installed. If you are using another client you may need to
install it.

J
 
Dear Mr. Jason,
I thank you for the effort taken to reply to
me. Following is my reply to the few possibilities mentioned by you:

1. I had applied the default policy.

2. The name I specified the DNS name of the server in the certificate, that
the server provides during the SSL handshake.

3. When using ldp I mentioned the full DNS name of the server.
4.The server certificate returned is in the trusted CA path. (This i made
sure with the help of ldap browser. When I connected to the ldap server
using ldap browser the complete certificate is returned to the client side.
Also the SSL handshake is going on fine until the final stage.The concise
log report is shown below)

The brief report of log file is as follows:

//Start log report //
*** ClientHello, v3.1
main, WRITE: SSL v2, contentType = 22.....
main, READ: SSL v3.1 Handshake, length = 4278
*** ServerHello, v3.1
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
failed extension check:
*** ServerHelloDone
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
main, WRITE: SSL v3.1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
*** Finished, v3.1
***
[write] MD5 and SHA1 hashes: len = 1
Plaintext before ENCRYPTION: len = 32
main, WRITE: SSL v3.1 Handshake, length = 32
//End of log report//

After this a dialogue pops up saying connection failed.
I think the server is closing the connection. I don't understand why?

please help me.......

I am looking forward to your speedy help on this issue....

Thanking you,
yours truly,
Manoj S P






Jason Robarts said:
There are a few possibilites. One is that the policy hasn't been applied
yet. The other is that there are client side checks that need to be
satisfied before the connection can be established. In particular the name
you specify to connect to must be in the server certificate the server
provides during the SSL handshake. When using ldp did you put the full DNS
name of the server when you specified the server to contact? The other
conditition is that the server certificate returned must be trusted in a
trusted CA path. If you are running ldp on the DC the CA path for your CA
should be installed. If you are using another client you may need to
install it.

J


Manoj said:
Sir,
To enable SSL with Active Directory I followed the procedure as
mentioned in the microsoft's site viz. "HOW TO: Enable Secure Socket Layer
(SSL) Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]

Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server. All
Domain Controllers in the forest will automatically enroll for and install
the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.

But after all these steps, to my surprise I found that, when I connected to
port 636 using ldp.exe, the connection failed, while the connection to Ldap
port 389 is successful.

Looking forward to your speedy help on this issue....

Thanks,

with hope,

Manoj S P
Click to expand...
Click to expand...
 
If the certificate is being returned AD is configured to support SSL. Look
in the event log of both the server and the client for SCHANNEL event log
messages. These will often indicate the problem if there was a problem with
the SSL handshake.


Manoj said:
Dear Mr. Jason,
I thank you for the effort taken to reply to
me. Following is my reply to the few possibilities mentioned by you:

1. I had applied the default policy.

2. The name I specified the DNS name of the server in the certificate, that
the server provides during the SSL handshake.

3. When using ldp I mentioned the full DNS name of the server.
4.The server certificate returned is in the trusted CA path. (This i made
sure with the help of ldap browser. When I connected to the ldap server
using ldap browser the complete certificate is returned to the client side.
Also the SSL handshake is going on fine until the final stage.The concise
log report is shown below)

The brief report of log file is as follows:

//Start log report //
*** ClientHello, v3.1
main, WRITE: SSL v2, contentType = 22.....
main, READ: SSL v3.1 Handshake, length = 4278
*** ServerHello, v3.1
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
failed extension check:
*** ServerHelloDone
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
main, WRITE: SSL v3.1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
*** Finished, v3.1
***
[write] MD5 and SHA1 hashes: len = 1
Plaintext before ENCRYPTION: len = 32
main, WRITE: SSL v3.1 Handshake, length = 32
//End of log report//

After this a dialogue pops up saying connection failed.
I think the server is closing the connection. I don't understand why?

please help me.......

I am looking forward to your speedy help on this issue....

Thanking you,
yours truly,
Manoj S P






Jason Robarts said:
There are a few possibilites. One is that the policy hasn't been applied
yet. The other is that there are client side checks that need to be
satisfied before the connection can be established. In particular the name
you specify to connect to must be in the server certificate the server
provides during the SSL handshake. When using ldp did you put the full DNS
name of the server when you specified the server to contact? The other
conditition is that the server certificate returned must be trusted in a
trusted CA path. If you are running ldp on the DC the CA path for your CA
should be installed. If you are using another client you may need to
install it.

J


Manoj said:
Sir,
To enable SSL with Active Directory I followed the
Click to expand...
procedure
as
mentioned in the microsoft's site viz. "HOW TO: Enable Secure Socket Layer
(SSL) Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]

Enabling SSL:
Click to expand...
server.
All
Domain Controllers in the forest will automatically enroll for and install
the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.

But after all these steps, to my surprise I found that, when I
Click to expand...
connected
to
port 636 using ldp.exe, the connection failed, while the connection to Ldap
port 389 is successful.

Looking forward to your speedy help on this issue....

Thanks,

with hope,

Manoj S P
Click to expand...
Click to expand...
Click to expand...
 
Sir,
As you said I enabled the Schannel event log in both error and info
mode. The Schannel event log of Server displays the following message, when
trying to connect to Ldap using ldp.exe running on the same machine:
"Creating an SSL client credential"

Awaitng your reply,
Thanks,
Manoj S P

Jason Robarts said:
If the certificate is being returned AD is configured to support SSL. Look
in the event log of both the server and the client for SCHANNEL event log
messages. These will often indicate the problem if there was a problem with
the SSL handshake.


Manoj said:
Dear Mr. Jason,
I thank you for the effort taken to reply to
me. Following is my reply to the few possibilities mentioned by you:

1. I had applied the default policy.

2. The name I specified the DNS name of the server in the certificate, that
the server provides during the SSL handshake.

3. When using ldp I mentioned the full DNS name of the server.
4.The server certificate returned is in the trusted CA path. (This i made
sure with the help of ldap browser. When I connected to the ldap server
using ldap browser the complete certificate is returned to the client side.
Also the SSL handshake is going on fine until the final stage.The concise
log report is shown below)

The brief report of log file is as follows:

//Start log report //
*** ClientHello, v3.1
main, WRITE: SSL v2, contentType = 22.....
main, READ: SSL v3.1 Handshake, length = 4278
*** ServerHello, v3.1
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
failed extension check:
*** ServerHelloDone
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
main, WRITE: SSL v3.1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
*** Finished, v3.1
***
[write] MD5 and SHA1 hashes: len = 1
Plaintext before ENCRYPTION: len = 32
main, WRITE: SSL v3.1 Handshake, length = 32
//End of log report//

After this a dialogue pops up saying connection failed.
I think the server is closing the connection. I don't understand why?

please help me.......

I am looking forward to your speedy help on this issue....

Thanking you,
yours truly,
Manoj S P






Jason Robarts said:
There are a few possibilites. One is that the policy hasn't been applied
yet. The other is that there are client side checks that need to be
satisfied before the connection can be established. In particular the name
you specify to connect to must be in the server certificate the server
provides during the SSL handshake. When using ldp did you put the
Click to expand...
full
DNS
name of the server when you specified the server to contact? The other
conditition is that the server certificate returned must be trusted in a
trusted CA path. If you are running ldp on the DC the CA path for
Click to expand...
Click to expand...
your
CA
should be installed. If you are using another client you may need to
install it.

J


Sir,
To enable SSL with Active Directory I followed the procedure
as
mentioned in the microsoft's site viz. "HOW TO: Enable Secure Socket Layer
(SSL) Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]

Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server.
All
Domain Controllers in the forest will automatically enroll for and install
the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy
Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.

But after all these steps, to my surprise I found that, when I connected
to
port 636 using ldp.exe, the connection failed, while the connection to
Ldap
port 389 is successful.

Looking forward to your speedy help on this issue....

Thanks,

with hope,

Manoj S P
Click to expand...
Click to expand...
Click to expand...
 
Sir,
As you said I enabled the Schannel event log in the server. It is
displaying the following message when tried to connect to the Ldap directory
using ldp.exe running on the same machine:
"Creating an SSL ckient credential"

Awaiting your reply,
Thanks,

Manoj S P


Jason Robarts said:
If the certificate is being returned AD is configured to support SSL. Look
in the event log of both the server and the client for SCHANNEL event log
messages. These will often indicate the problem if there was a problem with
the SSL handshake.


Manoj said:
Dear Mr. Jason,
I thank you for the effort taken to reply to
me. Following is my reply to the few possibilities mentioned by you:

1. I had applied the default policy.

2. The name I specified the DNS name of the server in the certificate, that
the server provides during the SSL handshake.

3. When using ldp I mentioned the full DNS name of the server.
4.The server certificate returned is in the trusted CA path. (This i made
sure with the help of ldap browser. When I connected to the ldap server
using ldap browser the complete certificate is returned to the client side.
Also the SSL handshake is going on fine until the final stage.The concise
log report is shown below)

The brief report of log file is as follows:

//Start log report //
*** ClientHello, v3.1
main, WRITE: SSL v2, contentType = 22.....
main, READ: SSL v3.1 Handshake, length = 4278
*** ServerHello, v3.1
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
failed extension check:
*** ServerHelloDone
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
main, WRITE: SSL v3.1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
*** Finished, v3.1
***
[write] MD5 and SHA1 hashes: len = 1
Plaintext before ENCRYPTION: len = 32
main, WRITE: SSL v3.1 Handshake, length = 32
//End of log report//

After this a dialogue pops up saying connection failed.
I think the server is closing the connection. I don't understand why?

please help me.......

I am looking forward to your speedy help on this issue....

Thanking you,
yours truly,
Manoj S P






Jason Robarts said:
There are a few possibilites. One is that the policy hasn't been applied
yet. The other is that there are client side checks that need to be
satisfied before the connection can be established. In particular the name
you specify to connect to must be in the server certificate the server
provides during the SSL handshake. When using ldp did you put the
Click to expand...
full
DNS
name of the server when you specified the server to contact? The other
conditition is that the server certificate returned must be trusted in a
trusted CA path. If you are running ldp on the DC the CA path for
Click to expand...
Click to expand...
your
CA
should be installed. If you are using another client you may need to
install it.

J


Sir,
To enable SSL with Active Directory I followed the procedure
as
mentioned in the microsoft's site viz. "HOW TO: Enable Secure Socket Layer
(SSL) Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]

Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server.
All
Domain Controllers in the forest will automatically enroll for and install
the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy
Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.

But after all these steps, to my surprise I found that, when I connected
to
port 636 using ldp.exe, the connection failed, while the connection to
Ldap
port 389 is successful.

Looking forward to your speedy help on this issue....

Thanks,

with hope,

Manoj S P
Click to expand...
Click to expand...
Click to expand...
 
Sir,
As you said I enabled the Schannel event log in the server. It is
displaying the following message when tried to connect to the Ldap directory
using ldp.exe running on the same machine:
"Creating an SSL ckient credential"

Awaiting your reply,
Thanks,

Manoj S P





Jason Robarts said:
If the certificate is being returned AD is configured to support SSL. Look
in the event log of both the server and the client for SCHANNEL event log
messages. These will often indicate the problem if there was a problem with
the SSL handshake.


Manoj said:
Dear Mr. Jason,
I thank you for the effort taken to reply to
me. Following is my reply to the few possibilities mentioned by you:

1. I had applied the default policy.

2. The name I specified the DNS name of the server in the certificate, that
the server provides during the SSL handshake.

3. When using ldp I mentioned the full DNS name of the server.
4.The server certificate returned is in the trusted CA path. (This i made
sure with the help of ldap browser. When I connected to the ldap server
using ldap browser the complete certificate is returned to the client side.
Also the SSL handshake is going on fine until the final stage.The concise
log report is shown below)

The brief report of log file is as follows:

//Start log report //
*** ClientHello, v3.1
main, WRITE: SSL v2, contentType = 22.....
main, READ: SSL v3.1 Handshake, length = 4278
*** ServerHello, v3.1
** SSL_RSA_WITH_RC4_128_MD5
*** Certificate chain
***
failed extension check:
*** ServerHelloDone
*** Certificate chain
*** ClientKeyExchange, RSA PreMasterSecret, v3.1
main, WRITE: SSL v3.1 Handshake, length = 77
SESSION KEYGEN:
PreMaster Secret:
CONNECTION KEYGEN:
Client Nonce:
Server Nonce:
Master Secret:
Client MAC write Secret:
Server MAC write Secret:
Client write key:
Server write key:
main, WRITE: SSL v3.1 Change Cipher Spec, length = 1
*** Finished, v3.1
***
[write] MD5 and SHA1 hashes: len = 1
Plaintext before ENCRYPTION: len = 32
main, WRITE: SSL v3.1 Handshake, length = 32
//End of log report//

After this a dialogue pops up saying connection failed.
I think the server is closing the connection. I don't understand why?

please help me.......

I am looking forward to your speedy help on this issue....

Thanking you,
yours truly,
Manoj S P






Jason Robarts said:
There are a few possibilites. One is that the policy hasn't been applied
yet. The other is that there are client side checks that need to be
satisfied before the connection can be established. In particular the name
you specify to connect to must be in the server certificate the server
provides during the SSL handshake. When using ldp did you put the
Click to expand...
full
DNS
name of the server when you specified the server to contact? The other
conditition is that the server certificate returned must be trusted in a
trusted CA path. If you are running ldp on the DC the CA path for
Click to expand...
Click to expand...
your
CA
should be installed. If you are using another client you may need to
install it.

J


Sir,
To enable SSL with Active Directory I followed the procedure
as
mentioned in the microsoft's site viz. "HOW TO: Enable Secure Socket Layer
(SSL) Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]

Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server.
All
Domain Controllers in the forest will automatically enroll for and install
the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy
Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.

But after all these steps, to my surprise I found that, when I connected
to
port 636 using ldp.exe, the connection failed, while the connection to
Ldap
port 389 is successful.

Looking forward to your speedy help on this issue....

Thanks,

with hope,

Manoj S P
Click to expand...
Click to expand...
Click to expand...
 
Back
Top