Enabeling LDAPS

[Nijholt]

Hi guys,

 

I'm trying to enable LDAPS on my local server, but i can't get it working.

I used this tutorial: http://shabaztech.com/enabling-ldaps-certificate-3rd-party-ca/ and did everything it said, also have a 90-days trial SSL from Comodo to go with it.

 

But i still get the 1400 ID error.

 

Active Directory Web Services could not find a server certificate with the specified certificate name. A certificate is required to use SSL/TLS connections. To use SSL/TLS connections verify that a valid server authentication certificate from a trusted Certificate Authority (CA) is installed on the machine.

Certificate name: <host name>

 

What to do?? I'm working on it for 2 days, but can't get it right

 

Thanks!

[Nijholt]

The Digicert Utility program, confirms my SSL is in use and working.

Also in my NTDS\Personal folder the Certificate shows perfectly up.

 

But still that damn 1400 ID error

[unijab]

From what OS to what OS?

[Nijholt]

6 hours ago, unijab said:

From what OS to what OS?

Windows Server 2012 R2

[leadeater]

The certificate used must match the FQDN of your LDAP domain name else it won't be trusted, don't use the server name. You can also for safety sake set Subject Alternative Names (SAN) of the actual LDAP servers in case something tries a direct connection to the server rather than to the domain.

 

Example:

FQDN: example.com

LDAP/DC: DC1.example.com, DC2.example.com

Certificate Name: example.com

SAN: DC1.example.com, DC1, DC2.example.com, DC2

 

Load the certificate like above, with private key, on to both LDAP servers and you'll be covered by clients connection using either just the FQDN, FQDN host name and short host name.

[Nijholt]

2 hours ago, leadeater said:

The certificate used must match the FQDN of your LDAP domain name else it won't be trusted, don't use the server name. You can also for safety sake set Subject Alternative Names (SAN) of the actual LDAP servers in case something tries a direct connection to the server rather than to the domain.

 

Example:

FQDN: example.com

LDAP/DC: DC1.example.com, DC2.example.com

Certificate Name: example.com

SAN: DC1.example.com, DC1, DC2.example.com, DC2

 

Load the certificate like above, with private key, on to both LDAP servers and you'll be covered by clients connection using either just the FQDN, FQDN host name and short host name.

 

I used this for the certificaten request from the tutorial. And ofcourse edited the credentials in the Subject line. 

 

Quote

 

[Version]

 

Signature="$Windows NT$"

 

[NewRequest]

 

Subject = "C=NO, S=Oslo, L=Oslo, O=ShabazTech, CN=DC01.shabaztech.com"

KeySpec = 1

KeyLength = 2048

Exportable = TRUE

MachineKeySet = TRUE

SMIME = False

PrivateKeyArchive = FALSE

UserProtected = FALSE

UseExistingKeySet = FALSE

ProviderName = "Microsoft RSA SChannel Cryptographic Provider"

ProviderType = 12

RequestType = PKCS10

KeyUsage = 0xa0

 

[EnhancedKeyUsageExtension]

 

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

 

 

What should i do different? I acactly followed the tutorial and i only have 1 server. AMASRV1.<sitename>.nl

[leadeater]

Have you made sure when you are loading the certificate on to the servers, and when downloading them, that you are also applying the private key?

[leadeater]

On 8/27/2016 at 3:25 AM, Nijholt said:

What should i do different? I acactly followed the tutorial and i only have 1 server. AMASRV1.<sitename>.nl

You would set the subject to just <sitename>.nl and not put in the serve name at all then set an subject alternative name as the FQDN of the server and also the short name.

[Eniqmatic]

What is your domain name set as?

 

What leadeater is trying to say is you should set the following:

Subject: "yourActiveDirectoryDomainName.nl"

SAN (Subject Alternative Name): "yourADServerName.yourActiveDirectoryDomainName.nl", "yourADServerName"

 

This will cover both the FQDN and the hostname of the machine in order for it to be valid.

[leadeater]

1 hour ago, Eniqmatic said:

What is your domain name set as?

 

What leadeater is trying to say is you should set the following:

Subject: "yourActiveDirectoryDomainName.nl"

SAN (Subject Alternative Name): "yourADServerName.yourActiveDirectoryDomainName.nl", "yourADServerName"

 

This will cover both the FQDN and the hostname of the machine in order for it to be valid.

Every time I see you post you make me miss 'Real Top Gear' 

 

[Eniqmatic]

9 minutes ago, leadeater said:

Every time I see you post you make me miss 'Real Top Gear' 

 

Haha! Here's hoping that "real Top Gear" will be back very soon, with a bit of change!

 

I have to admit, I did have a chuckle when I saw yours, in the particular industry I work that kind of behaviour is definitely something I can relate to!