Questions during initial PWM setup on Windows

[Felix Martel]

Hi folks ! New to PWM and installing it for the first time on a Windows 2019 domain-joined server.  Downloaded and installed JVM, Tomcat and the latest build of PWM.

Have gotten everything working up to getting the login page, and here's where things get complicated:

I'm getting an error 5015 (certificate not found etc. etc.). I've searched the group and gone through dozens of posts about the subject, and haven't been able to find the answer to the following:

1: How do I add domain controllers to the LDAP config ?

2: How do I upload certs for those additional DCs ?

3: How do I modify the SAN for my server certs ?

I've read lots of posts that say "just upload a cert in the config". But where ??? I've gone through every option and in Config Manager I can view installed certs, but I cannot add any. In Config Editor I can set the default cert type, but nowhere can I import or upload a cert. 

I've seen loads of people who give very brief one-line answers, but they are not complete enough to point me in the right direction ! (end of rant) :)

Any assistance would be greatly appreciated.

[Felix Martel]

Ok. After a good night's sleep, I was able to get back at it this morning and get things working. For the benefit of anyone else having this issue, here are answers to my own questions:

1: How do I add domain controllers to the LDAP config ?

Answer: After activating config mode (in <PWM files location>\PwmConfiguration.xml, line 24, set configIsEditable to "true", reload the JVM or restart Tomcat, and then you can go into Configuration Editor from the PWM home page (http://localhost:8080/pwm). From the base menu, go to LDAP ⇨ LDAP Directories ⇨ default ⇨ Connection. From here you can add/remove domain controllers. 

2: How do I upload certs for those additional DCs ?

Answer: From the same page as for #1, once you have added your DCs, you can retrieve their certs with a single click (Import from Server).

3: How do I modify the SAN for my server certs ?

Answer: Assuming you have AD CS running in your infrastructure, from the DC, go to manage computer certificates , then go to Personal and then right-click on Certificates > All Tasks > Request New Certificate. Depending on the domain enrollment policy enforced, you will choose either a Domain Email Replication or a Web Server certificate and click on Enroll. The certificate will be generated automagically with the required SAN entries you need for PWM to reach the DC. After that, if like me you were receiving 5015 or 5017 errors after initial installation, just refer to #2 above and reload the server certs. This should fix your issue. 

[robert...@uwrf.edu]

I don't know if anybody else runs into this, but please be aware that by default, a domain controller will use whatever certificate is expiring latest, so pay attention to the expirations and how frequently your DC renews its own certificate from CS. When it does that, you will likely need to go in and import the updated certificates to restore access. We use commercially-issued certificates on our DCs due to trust issues with some applications and only recently discovered that we can put certs in the NTDS certificate store to override the DC's certificate preferences. Up to this point, we've been having to rotate certificates every few (4-6) months due the DCs renewing their AD CS-issued certificate and switching to that instead of the commercial certificate.

-Robert