|
server
newsgroups
|
|||||||||||||||||||||||
|
|||||||||||||||||||||||
Installing Enterprise CA broke existing LDAP SSL on the DC'scontrollers worked properly. We use a separate commercial certificate on each domain controller. On 2/24/2006, an Enterprise CA was created on a member server for the purposes of Smart Card logon to the domain controllers by domain admins. A new cert was therefore issued to each DC. A new group policy was created and linked to the Domain Controllers OU which has the following setting "Interactive Logon: Smart Card Authentication Required" enabled. Each DC now has two certificates - one from the Enterprise CA (for smart card logon) and one from Equifax (for secure LDAP). Macintosh email clients (Entourage) who have Exchange mailboxes are configured to use a secure LDAP connection to one of the DC's to perform Global Address book lookups. Following the installation of the Enterprise CA, Macintosh users receive the following error when attempting to access the Global Address List: "Unable to establish a secure connection to host.domain_name because the correct root certificate is not installed". In troubleshooting this issue, I've used LDP.exe to connect to the domain controllers via secure LDAP, and have been prompeted for a smart card. Since this is not an interactive logon, I did not expect this. -- Thanks, cloudboy Hello,
If you run certutil -dcinfo deleteBad it will drop all certs and request a new one from your new enterprise CA. -- Show quoteHide quoteRegards Christoffer Andersson Microsoft MVP - Directory Services ---------------------------------------------------------------- "cloudboy" <cloud***@discussions.microsoft.com> skrev i meddelandet news:B370F975-7846-496F-988D-8A7C1E85E07F@microsoft.com... > Prior to 2/24/2006, secure LDAP authentication to all of our domain > controllers worked properly. We use a separate commercial certificate on each > domain controller. > > On 2/24/2006, an Enterprise CA was created on a member server for the > purposes of Smart Card logon to the domain controllers by domain admins. A > new cert was therefore issued to each DC. > > A new group policy was created and linked to the Domain Controllers OU which > has the following setting "Interactive Logon: Smart Card Authentication > Required" enabled. > > Each DC now has two certificates - one from the Enterprise CA (for smart > card logon) and one from Equifax (for secure LDAP). > > Macintosh email clients (Entourage) who have Exchange mailboxes are > configured to use a secure LDAP connection to one of the DC's to perform > Global Address book lookups. Following the installation of the Enterprise CA, > Macintosh users receive the following error when attempting to access the > Global Address List: > > "Unable to establish a secure connection to host.domain_name because the > correct root certificate is not installed". > > In troubleshooting this issue, I've used LDP.exe to connect to the domain > controllers via secure LDAP, and have been prompeted for a smart card. Since > this is not an interactive logon, I did not expect this. > > -- > Thanks, > > cloudboy The existing cert we use for secure LDAP is a commercial third party cert. We
need to continue to use this certificate so that clients trust the dc and don't have to be "touched". So, is there a way we can have both certificates - one used for smart card logon and one (Equifax) used for secure ldap? We don't want to use an enterprise cert for secure ldap, because clients would have to manually configured to trust that cert. Thanks, Daren -- Show quoteHide quoteThanks, cloudboy "chriss3 [MVP]" wrote: > Hello, > If you run certutil -dcinfo deleteBad it will drop all certs and request a > new one from your new enterprise CA. > > -- > Regards > Christoffer Andersson > Microsoft MVP - Directory Services > ---------------------------------------------------------------- > "cloudboy" <cloud***@discussions.microsoft.com> skrev i meddelandet > news:B370F975-7846-496F-988D-8A7C1E85E07F@microsoft.com... > > Prior to 2/24/2006, secure LDAP authentication to all of our domain > > controllers worked properly. We use a separate commercial certificate on > each > > domain controller. > > > > On 2/24/2006, an Enterprise CA was created on a member server for the > > purposes of Smart Card logon to the domain controllers by domain admins. A > > new cert was therefore issued to each DC. > > > > A new group policy was created and linked to the Domain Controllers OU > which > > has the following setting "Interactive Logon: Smart Card Authentication > > Required" enabled. > > > > Each DC now has two certificates - one from the Enterprise CA (for smart > > card logon) and one from Equifax (for secure LDAP). > > > > Macintosh email clients (Entourage) who have Exchange mailboxes are > > configured to use a secure LDAP connection to one of the DC's to perform > > Global Address book lookups. Following the installation of the Enterprise > CA, > > Macintosh users receive the following error when attempting to access the > > Global Address List: > > > > "Unable to establish a secure connection to host.domain_name because the > > correct root certificate is not installed". > > > > In troubleshooting this issue, I've used LDP.exe to connect to the domain > > controllers via secure LDAP, and have been prompeted for a smart card. > Since > > this is not an interactive logon, I did not expect this. > > > > -- > > Thanks, > > > > cloudboy > > > 
Other interesting topics
|
|||||||||||||||||||||||
