M
Manoj
We are trying to enable SSL in Active Directory server running on Windows
2000 Server. We carried out the steps as per the information given in
Microsoft's website viz. "HOW TO: Enable Secure Socket Layer (SSL)
Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]
Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server. All
Domain Controllers in the forest will automatically enroll for and
install the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.
Then the machine was restarted and the following results were found:
a) Ldp.exe that was running on the same machine as ldap server was used to
connect to Ldap server(port:636) without any errors. But we are not able to
connect to Ldap server(port:636) from the machines on a different domain.
b) Then we tried to connect to Ldap server(port:636) using a java based ldap
browser(version 2.8.2). We got an error indicating that the client could not
identify the CA certificate from the certificate chain. (NB: The snap shot
is attached)
We checked the debug trace of jsse and it seems that the "Basic Constraint"
attribute of the CA cerificate provided by Active Directory server to the
client does not indicate that it is a CA certificate.
c) An interesting fact is that we are able to connect using Softerra browser
which is a C - based Ldap browser.
So it is sure that the problem is due to some incompatibility among Active
directory and JSSE.
I tried two types of JSSE provider - Sun and IBM. But the error is the same.
So what should i do? My application uses java. So JSSE is indispensable
entity for my application.
I am even ready to avail paid tech support from Microsoft. I contacted the
MS office, Chennai india branch, I was allotted a contact id, referring to
which, I gave a detailed report along with debug traces of my problem. They
responded to us by asking us to forward the query to (e-mail address removed).
I did the same and did not receive any response yet. I am very much
unsatisfied by the service and support provided. My customers are waiting
for the product to be launched. All the issues related to other directory
servers are solved. Only the SSL-Active Directory issue is outstanding. I
cannot dispense with the Active Directory issue simply because most of the
customers are using Active directory. And it is very pity that such an
important issue related to the products of two software giants(Microsoft &
Sun) are not solved yet.
Please help me..................?????........
In brief our Problem is as follows: "We are not able to establish Ldap
connection to SSL enabled Active Directory using JSSE(Java Secure Socket
Extension)."
Thank you, for spending some time to read this.
disheartened,
manoj
2000 Server. We carried out the steps as per the information given in
Microsoft's website viz. "HOW TO: Enable Secure Socket Layer (SSL)
Communication Over LDAP For Windows 2000 Domain Controllers"
[http://support.microsoft.com/default.aspx?scid=kb;en-us;247078]
Enabling SSL:
---------------------
1. Install an Enterprise Certificate Authority on a Windows 2000 server. All
Domain Controllers in the forest will automatically enroll for and
install the appropriate certificate.
2. Open the Default Domain Controller Policy using the Group Policy Editor.
3. Under Computer Configuration, click Windows Settings.
4. Click Security Settings, and then click Public Key Policies.
5. Click Automatic Certificate Request Settings.
6. Use the wizard to add a policy for Domain Controllers.
Then the machine was restarted and the following results were found:
a) Ldp.exe that was running on the same machine as ldap server was used to
connect to Ldap server(port:636) without any errors. But we are not able to
connect to Ldap server(port:636) from the machines on a different domain.
b) Then we tried to connect to Ldap server(port:636) using a java based ldap
browser(version 2.8.2). We got an error indicating that the client could not
identify the CA certificate from the certificate chain. (NB: The snap shot
is attached)
We checked the debug trace of jsse and it seems that the "Basic Constraint"
attribute of the CA cerificate provided by Active Directory server to the
client does not indicate that it is a CA certificate.
c) An interesting fact is that we are able to connect using Softerra browser
which is a C - based Ldap browser.
So it is sure that the problem is due to some incompatibility among Active
directory and JSSE.
I tried two types of JSSE provider - Sun and IBM. But the error is the same.
So what should i do? My application uses java. So JSSE is indispensable
entity for my application.
I am even ready to avail paid tech support from Microsoft. I contacted the
MS office, Chennai india branch, I was allotted a contact id, referring to
which, I gave a detailed report along with debug traces of my problem. They
responded to us by asking us to forward the query to (e-mail address removed).
I did the same and did not receive any response yet. I am very much
unsatisfied by the service and support provided. My customers are waiting
for the product to be launched. All the issues related to other directory
servers are solved. Only the SSL-Active Directory issue is outstanding. I
cannot dispense with the Active Directory issue simply because most of the
customers are using Active directory. And it is very pity that such an
important issue related to the products of two software giants(Microsoft &
Sun) are not solved yet.
Please help me..................?????........
In brief our Problem is as follows: "We are not able to establish Ldap
connection to SSL enabled Active Directory using JSSE(Java Secure Socket
Extension)."
Thank you, for spending some time to read this.
disheartened,
manoj