Click here to get back home

enabling LDAP over SSL: Enterprise CA in separate AD tree
 HomeNewsGroups | Search | About
Login Password
Register Now!
 microsoft.public.windows.server.security    Post an article   get this group's latest topics as an RSS feed add this group's latest topics to your My MSN content add this group's latest topics to your My Yahoo content
Subject Author Date
enabling LDAP over SSL: Enterprise CA in separate AD tree mtw 08-17-2006
Posted by mtw on August 17, 2006, 6:31 pm
Please log in for more thread options
 Hello,

I've got two AD trees within a forest. For example's sake, we'll call
them A and B. I've installed an Enterprise CA in domain A to enable
LDAP over SSL - it is working with no problem. I've attempted to
create an Automatic Certificate Request on a DC in domain B, so I can
enable LDAP over SSL in that domain, but it seems that the request
isn't being honored.

The first few times I tried, I recieved an Event ID 13 in the system
log saying that access was denied. After reading
http://support.microsoft.com/default.aspx/kb/889101, I put B\Domain
Computers and B\Domain Users in domain A's CERTSVC_DCOM_ACCESS security
group. I created a new Certificate Request and ran gpupdate. I'm not
getting an Event ID 13 any more however, I'm not getting a success
message either and LDAP over SSL still isn't working. (using LDP.exe
to verify)

So, anyone have any things for me to try?

Thanks in advance,

Matthew


Posted by mtw on August 18, 2006, 12:07 pm
Please log in for more thread options
> So, anyone have any things for me to try?

The trick was to log into a DC in domain B as an Enterprise Admin and
set up a subordinate enterprise CA. After that I could get
certificates and enable LDAP over SSL


Posted by Brian Komar on August 18, 2006, 1:00 pm
Please log in for more thread options
mtw@vne.net says...
>
> > So, anyone have any things for me to try?
>
> The trick was to log into a DC in domain B as an Enterprise Admin and
> set up a subordinate enterprise CA. After that I could get
> certificates and enable LDAP over SSL
>
>
This is not really the solution...
You just need to change permissions on the Domain COntroller or Domain
Controller AUthentication certificate templates to allow each domain's
Domain Controllers group the Read, enroll (and maybe Autoenroll for v2
templates) permissions
Brian

Posted by mtw on August 18, 2006, 5:56 pm
Please log in for more thread options
Brian,

Thanks for your reply.

I've enabled Read and Enroll for Computer, Domain Controller, and
Domain Controller Authentication for the domain B domain controllers
group, plus Autoenroll for D.C. Authentication. When I submit an
Automatic Certificate Request and run gpupdate, I now don't get a
success message in the event log.

LDAP over SSL still works, however I fear that if I reboot the DC in
domain B it will stop working.

-mtw

Brian Komar wrote:
> mtw@vne.net says...
> >
> > > So, anyone have any things for me to try?
> >
> > The trick was to log into a DC in domain B as an Enterprise Admin and
> > set up a subordinate enterprise CA. After that I could get
> > certificates and enable LDAP over SSL
> >
> >
> This is not really the solution...
> You just need to change permissions on the Domain COntroller or Domain
> Controller AUthentication certificate templates to allow each domain's
> Domain Controllers group the Read, enroll (and maybe Autoenroll for v2
> templates) permissions
> Brian


Posted by Brian Komar [MVP] on August 18, 2006, 6:31 pm
Please log in for more thread options
mtw@vne.net says...
> I've enabled Read and Enroll for Computer, Domain Controller, and
> Domain Controller Authentication for the domain B domain controllers
> group, plus Autoenroll for D.C. Authentication. When I submit an
> Automatic Certificate Request and run gpupdate, I now don't get a
> success message in the event log.
>
> LDAP over SSL still works, however I fear that if I reboot the DC in
> domain B it will stop working.
>
Run certutil -dcinfo for each domain. This will report back to you
- What DCs have certs
- What certs each DC has
- Whether the certs are valid
Brian

Similar ThreadsPosted
Re-Configuring LDAP CDP on Enterprise Root CA February 17, 2007, 1:31 am
Re: share/move NTFS external disk between two separate computers September 5, 2005, 9:09 pm
Enabling RPC using SCW on Windows 2003 Server R2 June 8, 2007, 6:42 am
Re-Enabling Local Administrators Account July 3, 2008, 2:37 am
Enabling EFS to a specific group of pc's July 19, 2008, 12:57 pm
Enabling the Issuer Statement button on Issued Certificates January 16, 2008, 9:24 am
windows 2k - enabling acces to network connections for non-administrative users December 14, 2006, 8:00 am
Enabling Kerberos in Active Directory / smart card domain? August 27, 2007, 10:56 am
Configuring SSL for LDAP October 23, 2007, 10:01 am
Secure SSL with LDAP and AD May 20, 2008, 11:23 am

Our other projects:

Art Dolls, Fairies and Mermaids - Sunnyfaces.net

Roy's Linux, Programming and Search Engines messages

1-Script XML SitemapXML Sitemap