Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDP client authentication fails

198 views
Skip to first unread message

Shah@discussions.microsoft.com Romil Shah

unread,
Apr 26, 2007, 4:32:01 AM4/26/07
to
Hello,

I am using LDP.exe as a client to communicate with LDAP server.
LDAP server is configured to use SSL with client server authentication .

I have copied the personal certificate of server into the Trusted Root
Certificate Authoroties.

I found that ldp.exe fails to connect to server. SSL handshaking fails .

The queries that I have are as follows:
1) Does LDP.exe authenticates to server ( client authentication is supported
? )
I am using Windows 2003 with SP1 installed.
I found that in Windows 2000 SP4 a bug on similar line is fixed . (811288 )
Is this bug fixed in windows 2003 with SP1 installed ?

2) If client authentication is supported then which personal certificate
does ldp.exe send to server for authentication and where is the personal
certificate stored on windows ?

Looking forward for your suggestions .

Thanks,
Romil Shah

Paul Bergson [MVP-DS]

unread,
Apr 26, 2007, 9:10:15 AM4/26/07
to
When you say you have copied the personal certificate of the server into the
Trusted Root Certificates Authority, I am unclear as to what you mean. What
you should have done is copy the Root CA of the server certificate into the
clients Trusted Root Certificate Authority Store. Does the client also have
a cert and have you provided the server with the clients Root CA and placed
that in its store?

The two need to trust one another's certificates before communications will
occur.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Romil Shah" <Romil Sh...@discussions.microsoft.com> wrote in message
news:E46868D3-9D30-48F0...@microsoft.com...

Romil Shah

unread,
Apr 27, 2007, 3:24:01 AM4/27/07
to
Hi Paul,
You are right that we need to copy the Root CA to Trusted Root Certificate
Authority store. I did this , but as per the main query I had ,does Active
directory client ldp.exe support client authentication?''

Any idea as to where to store the personal certificate of ldp.exe client .
I dont find any option in the ldp.exe tool.
So now the question comes as to whether ldp.exe AD client supports client
authentication . If not then server can never authenticate the client.

As LDAP server is not receiving any certificate from client side for
authentication so I think ldp.exe is not supporting client authentication .
But not sure if I am right on this .. Any idea ?


Thanks.
Romil Shah

Paul Bergson [MVP-DS]

unread,
Apr 27, 2007, 8:41:49 AM4/27/07
to
Inline

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Romil Shah" <Romi...@discussions.microsoft.com> wrote in message
news:8272DF53-420B-4B42...@microsoft.com...


> Hi Paul,
> You are right that we need to copy the Root CA to Trusted Root Certificate
> Authority store. I did this , but as per the main query I had ,does Active
> directory client ldp.exe support client authentication?''

I am not positive but I would say that ldp doesn not support client
authentication.

>
> Any idea as to where to store the personal certificate of ldp.exe client
> .
> I dont find any option in the ldp.exe tool.
> So now the question comes as to whether ldp.exe AD client supports client
> authentication . If not then server can never authenticate the client.

To store the client cert just double click on the cert and import it. Or
open up IE, Select Tools, Internet Options, Content tab and click on
certificatates and import from there. This will add the work station cert
for you, but I don't see this working with LDP, but I could be wrong.

>
>
>
> As LDAP server is not receiving any certificate from client side for
> authentication so I think ldp.exe is not supporting client authentication
> .
> But not sure if I am right on this .. Any idea ?

You could use ipsec and have your machine authenticate to the server.

Joe Kaplan

unread,
Apr 27, 2007, 10:33:13 AM4/27/07
to
Actually, AD does support client certificate authentication for binding and
this can be done with ldp. It isn't well documented though. As long as the
client certificate is available and SSL is being negotiated, the client
certificate can be used. In general, the client certificate should be the
"my" store for the current user and must be a certificate that is trusted by
the server.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message
news:%23hO8tlM...@TK2MSFTNGP06.phx.gbl...

Paul Bergson [MVP-DS]

unread,
Apr 27, 2007, 11:29:07 AM4/27/07
to
That surprises me, but is good to know.

Picked up Ryan's and your book the other day. I have a guy writing some AD
code to create users and he loves the details you two have provided.
Hopefully this will get him over the hump. He was having some problems
figuring some of this out. I wish I had the time to do it, but I don't
always get to play.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Kaplan" <joseph....@removethis.accenture.com> wrote in message
news:OgzK%23jNiH...@TK2MSFTNGP03.phx.gbl...

Joe Kaplan

unread,
Apr 27, 2007, 12:12:32 PM4/27/07
to
Client cert authentication in AD/LDAP is supposedly supported, but it is
also undocumented black magic as far as I'm concerned. We don't have much
detail on this in our book. Supposedly ADAM also allows you to do client
cert authentication for Windows users, but I have no experience with that
either.

A few years ago, someone at MS got this piece of feedback and said they were
working on some docs to clarify how client cert auth works with LDAP binds.
However, I don't think this document has seen the light of day yet. Very
few people ask about it, so it isn't a hugely popular subject.

Thanks for the kind words on the book. Please tell you dev guy that if he
has any questions, he's welcome to follow in one of the newsgroups or on the
book's website: www.directoryprogramming.net. I hope you get a chance to
play sometime as well. One of the nice things about our book is that even
though it doesn't address PowerShell directly, everything you learn in there
about .NET LDAP programming is applicable to PowerShell, so it probably
makes the best detailed tutorial out there on how to actually do the LDAP
stuff.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@allete_nospam.com> wrote in message

news:%23ZZvMDO...@TK2MSFTNGP05.phx.gbl...

Paul Bergson [MVP-DS]

unread,
Apr 27, 2007, 2:41:05 PM4/27/07
to
Thanks I will let him know.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Joe Kaplan" <joseph....@removethis.accenture.com> wrote in message

news:eKywdbO...@TK2MSFTNGP06.phx.gbl...

Romil Shah

unread,
May 3, 2007, 8:21:02 AM5/3/07
to
Thanks for your suggestions...
This is something I tried ...
I modified the schannel event log value to 7 so as to get all the details.
This is what I get if LDAP server is configured in serverclient
authentication mode.

Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36875
Date: 5/3/2007
Time: 4:50:41 PM
User: N/A
Computer: LDUKE
Description:
The remote server has requested SSL client authentication, but no suitable
client certificate could be found. An anonymous connection will be attempted.
This SSL connection request may succeed or fail, depending on the server's
policy settings.

I have copied the personal certificate as follows:

mmc -> Add/Remove Snap in -> Add -> certificate

Added certificate under "My user account" and "Computer account" under
personal tab.


But even after all this I get the error mentioned above on connection to
server using LDP.exe

As I mentioned earlier


" I am using Windows 2003 with SP1 installed.
I found that in Windows 2000 SP4 a bug on similar line is fixed . (811288 )
Is this bug fixed in windows 2003 with SP1 installed ? "

1) is this a problem in 2003 sp1 ?
2) Or I am adding the personal certificate in wrong place .

Appreciate your help in this regard.

-Romil Shah

Joe Kaplan

unread,
May 3, 2007, 11:07:49 AM5/3/07
to
When you installed the user certificate, did you install it using a pfx or
p12 file? Does the certificate UI indicate that you have a private key for
the certificate? Client cert auth won't work without that.

Additionally, the server must trust the client certificate for it to be a
suitable choice, so the client cert's root issuing CA must be a CA trusted
by the server.

It will work if you get all the right pieces in place.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--

"Romil Shah" <Romi...@discussions.microsoft.com> wrote in message

news:1F75ADDD-5A44-4664...@microsoft.com...

Romil Shah

unread,
May 4, 2007, 4:39:12 AM5/4/07
to
I got the LDP working with LDAP server under server client authentication
mode.
I did not installed the certificate in pfx format .. that caused all the
problem .


Thanks for all the help.


-Romil Shah

0 new messages