LDAPS (LDAP Secure) trust between MS 2000 and MS 2003 servers.

[TBK]

Reference: I am using the following MS article as my point of
reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

Goal: Create a one way trust between two domains that uses SSL with
LDAP (Also called LDAPS or Ldap Secure).

I have created the initial one way trust, where Domain A trusts Domain
B (meaning that domain A is able to add users to objects inside it's
domain, but domain B is unable to). The trust is function properly
and communcates over port 389 (per default).

I have made Domain A a certificate authroity (CA) and I have created a
certificate using a PKCS# 10 request. I have installed the
certificate CHAIN and reviewed the certificate information. All of
the required information is inside the certificate.

At this point I open LDP.exe and click connect. I type in the domain
name and change it to port 636, but it does not connect. If I used
default port 389 it works fine (but this is NOT LDAPS).

Things I have tried:
Changing from port 389 to 636 on all _TCP _LDAP inputs on DNS.
Tried other ports.
Confirmed BOTH CA and client have certificates install and are both
"trusted" by the CA.
Confirmed content of certificate.

What am I doing wrong? As per the article it 'should' be easy, but it
never is with MS stuff...please advise.

 

[Chris]

Reference: I am using the following MS article as my point of
reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;321051

Goal: Create a one way trust between two domains that uses SSL with
LDAP (Also called LDAPS or Ldap Secure).

I have created the initial one way trust, where Domain A trusts Domain
B (meaning that domain A is able to add users to objects inside it's
domain, but domain B is unable to). The trust is function properly
and communcates over port 389 (per default).

I have made Domain A a certificate authroity (CA) and I have created a
certificate using a PKCS# 10 request. I have installed the
certificate CHAIN and reviewed the certificate information. All of
the required information is inside the certificate.

At this point I open LDP.exe and click connect. I type in the domain
name and change it to port 636, but it does not connect. If I used
default port 389 it works fine (but this is NOT LDAPS).

Things I have tried:
Changing from port 389 to 636 on all _TCP _LDAP inputs on DNS.
Tried other ports.
Confirmed BOTH CA and client have certificates install and are both
"trusted" by the CA.
Confirmed content of certificate.

What am I doing wrong? As per the article it 'should' be easy, but it
never is with MS stuff...please advise.

Check the event logs for errors. Usually there are events. Make sure the
certificate is in the computer (not user) Personal store on the domain
controllers.
Try using PKCS#12 and make sure that you do not enable strong private key
protection (per the article you referenced). There should be a check box
when you export the certificate. Also make sure you check export the private
key. You will be required to enter a password. See the following article.

http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows
2000/en/server/help/sag_CMprocsImport.htm

 

[TBK]

Nothing in event logs. Today I took the CA off the Win2K
box, thinking maybe it had something to do with that, but
still nothing. Here is how I created the certificate via
Windows 2000 IIS http:\\ip\certsrv:

Welcome -> Request a Certificate -> Advanced request ->
Submit a certificate request using PKCS #10 file -> Insert
the PKCS#10 file -> Submit

Download DER Encoded CA Certification path cert (p7b). I
then opened certificate services and imported it to local
computer and put it inside the tursted CA section. I have
done this on BOTH machines. I then try to LDP port 636
and it doesn't work....yet it still functions properly on
port 389.

UGH!

 

[Chris]

Nothing in event logs. Today I took the CA off the Win2K
box, thinking maybe it had something to do with that, but
still nothing. Here is how I created the certificate via
Windows 2000 IIS http:\\ip\certsrv:

Welcome -> Request a Certificate -> Advanced request ->
Submit a certificate request using PKCS #10 file -> Insert
the PKCS#10 file -> Submit

Download DER Encoded CA Certification path cert (p7b). I
then opened certificate services and imported it to local
computer and put it inside the tursted CA section. I have
done this on BOTH machines. I then try to LDP port 636
and it doesn't work....yet it still functions properly on
port 389.

UGH!

My suggestion is to export the certificate using PKCS#12. This is the only
way we could get it to work. If you use PKCS#12 and you choose to export the
private key it should ask for a password. You should also see the check box
for "Do not enable strong private key
protection." The domain controllers must trust the Root CA and the
certificate must be in the Personnel certificate store. Don't forget - The
Active Directory fully qualified domain name of the domain controller must
appear in the the common name in the subject field of the certificate.

 

[TBK]

Thanks for the information. It solved my problem. I have
made a procedure write-up on this and I eventually plan on
putting it on a websever so other people can have it for
reference.

Regards.