[.NET] Using SSL with ADAM (AD LDS)

Erlend,

I am desperately trying to do this and it's not working for me. My issuing server is the same as my ADAM server, and I am running LDP on the same machine to test. It's giving me the following error:

ld = ldap_sslinit("[My_Serer_DNS]", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to [My_Serer_DNS].

Please help. I've been trying to get it to connect to the darn server using ASP.net for 3 days now with hopes of having it do a userProxy to my AD. Works great for regular inetOrgPerson users but not at all for userProxy users. Very strange.

If you can, please email me as well since that would make it easier to communicate. My email is df41 _at_ cornell _DOT_ edu

thanks so much for your help!

Danny

You may have to install the root certificate of the CA (which issued the certificate to your ADAM service), in the "Trusted certificate authorities"-store on your client computer. This will allow ldp to create a trusted SSL connection to ADAM.

Same thing as Danny. I've tried with a Thawte test certificate, and it works with IIS, but I still cannot connect to ADAM through SSL. So I guess the problem does not come from the "Trusted certificate authorities". I'm using ADAM SP1, under XP Pro. Are there other ways to test if ADAM is properly configured?
dodot63-at-gmail-dot-com

I just wanted to set passwords on inetOrgPerson. I found another way to do it: in ADAM you can disable password security easily. Of course this only suitable for testing.

From Microsoft ADAM FAQ :

As a best security practice, you should not disable strong encryption in a production environment. Strong encryption ensures that passwords are transmitted only across secure channels. For test environments only, you can disable strong encryption, as described in the following procedure.

To disable the requirement for strong encryption in ADAM:

1. Open an ADAM Tools command prompt.

2. At the command prompt, type dsmgmt.

3. At the dsmgmt prompt, type ds behavior.

4. At the ds behavior prompt, type connections.

5. At the connections prompt, type connect to server computername:portnumber, where computername:portnumber represents the ADAM instance to which you want to connect.

6. At the connections prompt, type q.

7. At the ds behavior prompt, type allow passwd op on unsecured connection.

8. To exit, type q twice.

http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx

SSL issue too

Hi

I am having the same SSL problem as well. My email is dougalk@gmail.com

SSL issue

You need to put the certificate in the Trusted certificate store on the client machine, and the service store on the ADAM server. Also you need to give the account running ADAM access to the key. To do this, try using winhttpcertcfg.exe

Excellent steps!
I did this, but for some reason, I don\\\'t see a key in RSA\\\\MachineKeys. I do have \\\"view hidden files\\\".

After restarting ADAM, SSL isn\\\'t working either.

The eventviewer says:
8009030d The credentials supplied to the package were not recognized

I also noticed that the event viewer says that the user is NT AUTHORITY\\\\ANONYMOUS LOGON.

I know there\\\'s a way to request a certificate via the MMC Certificate snap-in. That option gives me errors too.

/Thomas

certsrv error

Hi,
Maybe this is a little out of date, but after following this instructions, step 9 of first set, I’m getting the following error.
Please, could you be so kind and give me a clue on how workaround?
Thanks in advance.
Best regards.
Ricardo
rsmachado@wavenet.com.br

Microsoft Certificate Services -- RSMca Home

Error

You did not come to this page as a result of a form submission.
You may not bookmark this page.
Contact your administrator for further assistance.
Request Mode:
- (no form data)
Disposition:
(never set)
Disposition message:
(none)
Result:
The operation completed successfully. 0x0 (WIN32: 0)
COM Error Info:
LastStatus:
The operation completed successfully. 0x0 (WIN32: 0)
Suggested Cause:
No form data was included in the HTTP request. This is most likely caused by reaching this page through a bookmark.

Re: certsrv error

I'm sorry, but I haven't seen this error before. Maybe you can try to post the error on http://forums.iis.net

Hi,

I have this error :
ld = ldap_sslinit(\"CG69-SERVER.rhone.fr\", 50001, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to CG69-SERVER.rhone.fr.

Someone have ever seen this error?

Thanks for your help

Re: Greg's post

I'm sorry to say I have not seen this error before. Try connecting to the port using telnet first, and see if there is actually something listening to the port, and that you are not beeing blocked by the firewall. Also make sure you are connecting to the SSL port of your ADAM server.

certsrv error

Try using the adam service account to perform all of the above tasks. I have the same problem and resolved it by using the adam account to request the cert and copy the cert to the computer store.

How do I enable SSL Client Auth in ADAM?

We have set up SSL in ADAM. ldp works fine. But SSL client auth does not work. How can I enable the SSL CLIent auth in ADAM.

Re: How do I enable SSL Client Auth in ADAM?

I'm don't know really. I have never tried to use SSL Client Auth. In an ASP.NET enviroment only the web server will connect to the ADAM-instance, and the users connect to the web-server and does not know wether there is an ADAM or a SQL database. I what you want, is the web server to authenticate with ADAM using an SSL certificate to do client authentication, I don't know how to do this. If you want your users to authenticate with ASP.NET using SSL Client auth, I think you then need to create a custom MembershipProvider, but I have never worked on this.

LDAP SSL ADAM

The problem above is caused because of rights.

After using the above solutions (proper name in certificate, setting rights for the user for the Adam instance service account on the key store RSA\machines dir, etc), I solved the problem by using another account on the ADAM-instance service. Default this is "network service" I solved the problem by running the LDAP-ADAM instance under administrator. So solution would probably be to make a dedicated ADAM service account under which this service is running.

Eventually (I might have to test this further) it could be that the user for this service should also be given the role administrator in the ADAM instance itself.

Error <0x51>: Fail to connect to [My_Serer_DNS].

Hi,
I have the same issue like Danny and the same error message.
We used a offical server certificate, installed it, set the permissions on the folder and the certificate, rebootet the server and still receive the Error Danny mentioned :
ld = ldap_sslinit("[My_Serer_DNS]", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to [My_Serer_DNS].

Are there any working hints on this?

Thanks and Regards
Thorsten

Re: Error <0x51>: Fail to connect to [My_Serer_DNS].

1. Did you install the certificate in the service store, not the local machine or user store?
2. Use winhttpcertcfg.exe to grant permission to the certificate to the account running ADAM
3. Make sure that certificate is from a CA that is trusted on the computer you are connecting from

This REALLY WORKS

http://www.ultravoid.com/wordpress/?p=16

Thanks!!

Im not sure if the author ever checks these comments, but if you do... THANKYOU!!! We switched from verisign to an internal PKI and I couldnt get LDAPS working to adam, after following these steps its working perfectly.

Much appreciatted..

Re:Thanks!!

Glad to be of help to you

LDP ok, but not from acegi...

I can now bind over SSL using ldp (either as user or doing simple bind), but my simple bind attempt from my application (using Spring/Acegi) is failing with simply: \"simple bind failed\"... I\'m convinced I\'m using the same URL/params in both cases, but obviously something is different... any thoughts or help would be greatly appreciated...
thanks
Carl

ERROR: Could not create the ADAM instance. Script aborting...

Hi All,

In regards to ECTS Instalation.

1. Can we test ECTS on a Standalone system (Windows Server 2003 Standard Edition).

2. Can we test Extranet Without SSL Certificates?

3. Can we place extranet on port 80 while testing.

4. For testing purpose what should be DC Details on my test server.

eg: CN=ExternalUsers,DC=???????,DC=???

Here are some thing which i have done on my server.

I have installed following on Windows Server 2003 Standard Edition

1. Installed SQL Server 2005 - succesfull

2. Downloaded Active Directory Application Mode (ADAM) from dowload centre and installed with out creating instance -successfull.

3. Installed MOSS 2007 Enterprise Edition- Successfull.

4. Created Web Application (http://server:80) - works fine

5. Extented above created web app to extranet on port 80 as i do not want use SSL for test purpose.

with followinf header sharepoint.domain.net so now created web site will http://sharepoint.domain.net:80 - successfull

6. Created a site collection -successfull

7.Then i setuped Formbased Authentication - done

8.Then i installed ECTS which extracted all the file into my documents folder.

9.Then fired the ECTSSetupWizard.hta



Wizard failed for ADAM and rest two insalled succesfully



Following log file cameup when i click check result

Microsoft (R) Windows Script Host Version 5.6
Copyright (C) Microsoft Corporation 1996-2001. All rights reserved.

Running: cscript ects_setup_adam.vbs CN=ExternalUser,DC=domain,DC=net 80 80

Creating the instance...
ERROR: Could not create the ADAM instance. Script aborting...


Note: This is single standalone system where i am test ECTS for extranet site.

My experts any help much appriciated as this is a challenge for me to get right before doing any thing on my production box.

My Advance thanks for any advice to complete my adventure in this area.



Thanks.

Raj Marikanti

rajenmari at yahooDOTcom

Try This

In regards to this error message

ld = ldap_sslinit(\"[My_Serer_DNS]\", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to [My_Serer_DNS].

I kept having issues then I read somewhere to try to export from the personel store and import to the Adam Instance store. then make sure permissions were correct and that seemed to work for me.

Super Blog!!!!

Your blog saved at least 40 hours of work for us. This is an amazing blog. Keep it going.

636 or 389..

The above error is received on my system if i use anything else then port 636 for my ADAM ssl. So... verify that ldp, connects ok, AND that ldp AND web config , uses same ports and server names as in certificates. Dont trust , if running on several servers , that changes are deployed , verify that files are identical !


<connectionStrings>

<add name=\"ADAMConnectionString\" connectionString=\"LDAP://HPIAP253APPLIC.adsp.ispartner.com:636/CN=Eksternals,DC=ispartner,DC=com\" />
<add name=\"DBConnectionString\" connectionString=\"Data Source=HPIAP254DB; Database=ECTS; Integrated Security=SSPI\" />
</connectionStrings>

636 or 389..

The above error is received on my system if i use anything else then port 636 for my ADAM ssl. So... verify that ldp, connects ok, AND that ldp AND web config , uses same ports and server names as in certificates. Dont trust , if running on several servers , that changes are deployed , verify that files are identical !


<connectionStrings>

<add name=\\\"ADAMConnectionString\\\" connectionString=\\\"LDAP://xxx:636/CN=Eksternals,DC=ispartner,DC=com\\\" />
<add name=\\\"DBConnectionString\\\" connectionString=\\\"Data Source=HPIAP254DB; Database=ECTS; Integrated Security=SSPI\\\" />
</connectionStrings>

Windows Server 2008

On Windows Server 2008 you have to give Network Service Read permissions to C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys for SSL binding to work.

Container Specified in the connection string does not exist

Hi Erlend,

ADAM Secure authentication work for my application if I run it from Visual Studio 2005. But it throws exception - \"Container Specified in the connection string does not exist\"
if I host it on IIS 7.0 and run it from there. My connection string contains LDAP://MachineName:636/OU=Users,O=TestDirectory\"

My machine is in workgroup and not in a domain.

Sharepoint with SSL and ADAM

Hello
We have implemented SSL on ISA server and we have implemented FBA-ADAM. It is working properly except whenever we use Multiple Upload, Outlook Connect, connect to Windows Explorer, it gives error "Cannot run Windows SharePoint Services on this page". If we stop SSL on ISA, all these functions work properly.

I tried following connecion string, but none of these is solving my problem
--------------------------------------
<add name="ADAMMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="portal" port="50000" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="OU=MYADAM,O=USERADAM,C=US" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
----------------------------------------------
<add name="ADAMMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="portal" port="50000" useSSL="true" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="OU=MYADAM,O=USERADAM,C=US" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
-----------------------------
<add name="ADAMMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="portal" port="50001" useSSL="true" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="OU=MYADAM,O=USERADAM,C=US" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />
-----------------------
<add name="ADAMMembership" type="Microsoft.Office.Server.Security.LDAPMembershipProvider, Microsoft.Office.Server, Version=12.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" server="portal" port="50001" useSSL="false" userDNAttribute="distinguishedName" userNameAttribute="cn" userContainer="OU=MYADAM,O=USERADAM,C=US" userObjectClass="user" userFilter="(ObjectClass=user)" scope="Subtree" otherRequiredUserAttributes="sn,givenname,cn" />

Can\'t connect with client

When I use a client to connect to the ADAM server on 636, I get mixed results. If I use the program LDAPAdmin from source forge, then it allows me to view the certificate and decide yes/no if I want to connect to the ADAM. If I use ldp, it won\'t connect to the 636 port at all, and simply states \"Failed to connect to machine.domain.com\". As the client machine I have tried installing both the ADAM certificate and the CA root certificate in all 3 stores (Current User/Local Machine/ADAM Service), both in Personal and Trusted Root CAs. LDAPAdmin has no problems, but nothing seems to allow ldp to work. I\'m open to ideas.

How about Wild Card Certificate ?

Have you or anyone establish the process in using a wild card certificate Eg *.domain.com instead of the computer-FQDN certificate. This is because many case of ADAM is NLB on 2 hosts. wild card certificate faciliate NLB.

Use correct certificate

I also had a lot of problems in getting the SSL connectivity up an running. I think the problem was the certificate, which probably didn\'t contain all the attributes that ADAM was expecting.

After using a Verisign trial certificate everything worked fine.

Re:Use correct certificate

Yes, the CA has to be installed on probably both server and client in the "Trusted Root Certificates" store. If not, it will probably be unwilling to establish the SSL connection, because the remote party is not trusted.

SharePoint 2010 FBA with AD LDS on SSL port

Dear Erlend,

Your blog had been of great help to me. Now I am facing an issue while configuring FBA with SharePoint 2010 (win 2008 R2) using AD LDS as data store on ssl port. My FBA works perfectly fine with LDS on non SSL port but it just does not for SSL on LDS.
1. I have already created a self signed cert sing IIS7 and imported that in the ADAM store as per (http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx) and http://technet.microsoft.com/en-us/library/cc725767(WS.10).aspx
2. Now when I change the port to SSL port and say useSSL="true" am getting "Logon failure: unknown user name or bad password" error in ULS logs and also the Directory.Bind errors.

Can you please suggest a solution to my scenario? Appreciate your help and time on this.

Thanks,
prakash.tadas@gmail.com

Re: SharePoint 2010 FBA with AD LDS on SSL port

Hello Prakash. Are you able to connect to the AD LDS using LDP.exe on the ssl port with that username and password?

Re: SharePoint 2010 FBA with AD LDS on SSL port

Yes, I am able to connect using LDP.exe and for same user.

Re: SharePoint 2010 FBA with AD LDS on SSL port

Hmm. Ok. Sounds like there is something with your configuration that's not right then. Did you set the SSL port in the URL for the LDAP in your config? Did you double-check the username/password?

I am running WSS 3.0 and have ECTS and FBA running fine on Server 2K3 R2. I want both the company link and external user's link to run on SSL. I purchased and installed a Multiple-Domain Certificate from Comodo (they say it is like a wild card cert). When I check the 'require SSL' box in IIS for both the internal and external (extended) web aps, the ECTS Admin Page web parts don't work, and the FBA converts to Windows Login. With Windows Login, it communites with AD and not the ADAM database (then external users who aren't in my AD can't log in). If I remove the SSL, everything works as expected.

I have the following scenario ...

Windows server 2008 Standard Edition CA with ADLDS installed ...

All the above steps mentioned have been followed with regard to installing the certificate in the personal store but i still do get the following error ...

ld = ldap_sslinit("Servername", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to Servername

And the Event viewer displays the follwoing error message ...

LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

Any idea how to resolve this ?

@Ted: It can be a couple of things.
1. Check that the certificate or CA is installed correctly. Should be under the certificate store of the service, and the CA must be trusted.
2. Check that access rights for the user running AD LDS has not granted to the private key of the certificate.
3. Check that the domain name in the certificates subject name, is the same as the domain name which you use to attach.
4. Make sure the certificate is requested as a Server (as opposed to client) certificate, when you request it from the CA.

I run ldp.exe on a server (Windows 2003). The ldp.exe will connect to a AD server with both ports 389 and 636 when I run it as Administrator. But ldp.exe fail to connect the AD server when I run it as a user in adminitrators group.

Any idea?

What would one do if your internal domain name is the same as your external name? How do you allow cross site certification in this scenario?

I was also getting the Error <0x51>: Fail to connect to Servername error.
Way to solve it...
If using a SAN or wild card cert ensure the FQDN of server and common name on cert are same.
Other names dont have to match
If using the "Network Service" account, ensure the cert is imported to computer
On Windows Server 2008 you have to give Network Service Read permissions to Network Service must have read permission to C:\\ProgramData\\Microsoft\\Crypto\\RSA\\MachineKeys
Most importantly if you imported any other cert or same cert to anywhere but local machine\personal store remove them if using "Network Service" Acount LDS.
Also see http://www.identitychaos.com/2009/08/issues-when-binding-to-ad-lds-adam.html and http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx for more info.

ld = ldap_sslinit(\"[FQDN]\", <port_no.>, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to [FQDN].

Had the above on a windows 2008 server and fixed it by actioning the following..

1. Import your certificate (with privatekey) into certificates(Local computer)-Personal.
2. Select the certificate you have just imported with the right hand mouse button and from the drop down menu point to all tasks | Manage Private Keys.
3. A window "Permissions" for *your-cert* opens. Click add and add in the "Network Service" account for the computer the AD LDS exists on. (I also had a service account for AD LDS and this worked too)
4. Restart AD LSD (<-funny I miss typed that but figured id leave it lol)
5. Re-Try your LDP connection.

@ALF4
Thank you for the tip on the "Manage Private Keys" drop down menu. It was the last bit I needed to get everything working.

Cheers!

I read through all the comments and didnt see this suggestion which worked for me so :

I noticed that there were no new files being added to the Microsoft\Crypto\RSA\MachineKeys folder as I was generating the certificate. Eventually I checked the "Store certificate in the local computer certificate store" check box on the cert request form, and that seemed to work for me.

Thank you erland for the post and everyone else with your hints!