Discussion:
SSL & IADs behavior has changed..
(too old to reply)
Shane, Devnet SysOp 57
2005-11-22 18:10:03 UTC
Permalink
At some point in the past few months something changed in our
environment that makes SSL and IADs no longer play together nicely. In
the past we've been able to connect using IADs to our eDirectory server
over the SSL port without incident. Now though when we try to connect
we get a server is not operational error and if we look at tracing on
the server we see an error which seems to specify that the certificate
isn't being accepted. We've exported the certificates from the server
and installed them locally. This had no effect. Certificates are still
valid.

Another thing to note is that we are noticing the same behavior using an
independent LDAP Browser. Whereas before it would just connect and be
happy now it needs to accept a certificate.

Any thoughts?
Guenter Knauf, DevNet SysOp 32
2005-11-22 18:56:25 UTC
Permalink
Hi Shane,
Post by Shane, Devnet SysOp 57
At some point in the past few months something changed in our
environment that makes SSL and IADs no longer play together nicely. In
the past we've been able to connect using IADs to our eDirectory server
over the SSL port without incident. Now though when we try to connect
we get a server is not operational error and if we look at tracing on
the server we see an error which seems to specify that the certificate
isn't being accepted. We've exported the certificates from the server
and installed them locally. This had no effect. Certificates are still
valid.
Another thing to note is that we are noticing the same behavior using an
independent LDAP Browser. Whereas before it would just connect and be
happy now it needs to accept a certificate.
Any thoughts?
did you verify the certs with pkidiag2 already?
http://support.novell.com/servlet/filedownload/uns/pub/pkidiag2.exe/

greets, Guenter.
Shane, Devnet SysOp 57
2005-11-30 17:18:33 UTC
Permalink
Hello, Guenter.

We ran pkidiag2 and it found no problems. The weird thing is that this
is occuring on 3 seperate servers (one of which hasn't been touched in
forever) from multiple desktop machines. I'm at a loss as to what to
try next.

Regards,

Shane
Post by Guenter Knauf, DevNet SysOp 32
Hi Shane,
Post by Shane, Devnet SysOp 57
At some point in the past few months something changed in our
environment that makes SSL and IADs no longer play together nicely. In
the past we've been able to connect using IADs to our eDirectory server
over the SSL port without incident. Now though when we try to connect
we get a server is not operational error and if we look at tracing on
the server we see an error which seems to specify that the certificate
isn't being accepted. We've exported the certificates from the server
and installed them locally. This had no effect. Certificates are still
valid.
Another thing to note is that we are noticing the same behavior using an
independent LDAP Browser. Whereas before it would just connect and be
happy now it needs to accept a certificate.
Any thoughts?
did you verify the certs with pkidiag2 already?
http://support.novell.com/servlet/filedownload/uns/pub/pkidiag2.exe/
greets, Guenter.
Susan Perrin
2005-11-30 19:40:04 UTC
Permalink
Hi

I believe that IADS uses schannel for SSL. There is a registery setting
that you can set (I forget what it is but I found it once by googling around
for schannel issues) to turn on verbose schannel logging. If you do that
and look at the event viewer it might tell you something interesting. I'm
assuming that ldp.exe fails too?

Thanks
Susan
Susan Perrin
2005-11-30 19:45:47 UTC
Permalink
ah, here it is: http://support.microsoft.com/kb/260729/EN-US/ How to enable
schannel event logging

Also you might reverse the process, export the cert from the windows store,
rename to .der and see if it works with the novell ldapsearch utility (-p
636 -e .der file). If not, you might export a new .der from the server,
make sure it works with ldapsearch and reimport it into the windows store.

Thanks
Susan

Loading...