SGD With Active Directory
This might seem like a silly question, but the documentation doesn't seem to indicate. If I want to use secure connections to a windows 2000 domain controller, I need to check the "Use Certificates" box.
I'm following this procedure: http://sgddemo.sun.com/tarantella/help/en-us/tsp/gettingstarted/secure_ldap.htm l
Do I need to enable SSL on the domain controller for this to work? I see them saying its require for the ldap server, but I don't see it for the AD server.
Thanks,
Jason
[519 byte] By [
JOlsona] at [2007-11-27 10:32:50]
# 1
AD connections are already secure . . . notice that for LDAP you change URL to LDAPS, as SSL is required for LDAP to make connections secure.
# 2
Ok, so on this AD server, we don't have SSL enabled. You can't connect to it on port 636 for as LDAP.
You're saying the connections are secure anyway? Right now when we check "Use Certificates" we get an error like this:
Failed to discover some Active Directory Site, Domain or server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
2007/07/13 18:30:26.165 (pid 751)server/ldap/warningerror#1184351426165
Sun Secure Global Desktop Software (4.31) WARNING:
Active Directory service discovery partially failed: Encountered ASN.1 tag 48 (expected tag 10)
Looking up Global Catalog DNS name: _gc._tcp.xxx.xxx. - HIT
Looking for GC on server: Active Directory:dc1:/192.168.xxx.xx1:3268:Up - ERROR
Looking for GC on server: Active Directory:dc2:/192.168.xxx.xx2:3268:Up - ERROR
Failed to discover some Active Directory Site, Domain or server data.
This might mean LDAP users cannot log in.
Make sure the DNS server contains the Active Directory service
records for the forest. Make sure a Global Catalog server is available.
2007/07/13 18:30:26.165 (pid 751)server/ldap/error#1184351426166
Sun Secure Global Desktop Software (4.31) ERROR:
LDAP call failed: null lookupLink-.../_ldapmulti/forest/("DC=XXX,DC=XXX") 19ms javax.naming.NameNotFoundException: Failed to lookup a Global Catalog server
A call to LDAP failed. This might mean LDAP users cannot log in.
Check the operation was correct, the LDAP configuration is valid, and the LDAP server is still running.
2007/07/13 18:30:26.165 (pid 751)server/login/info#1184351426167
:
# 3
We got SSL enabled on the AD servers by installing certs on them, but I'm still getting this error:
2007/07/16 21:22:49.551 (pid 7277)server/kerberos/info#1184620969551
Kerberos attempting to log in USER in to XXX.XXX
2007/07/16 21:22:50.110 (pid 7277)server/kerberos/moreinfo#1184620970110
Kerberos succeeded in authenticating USER@XXX.XXX to XXX.XXX
2007/07/16 21:22:50.113 (pid 7277)server/ldap/moreinfo#1184620970113
NSLookup succeeded: "xxx.xxxx.xxx." returned xxx.xxx.xxx.xxx
2007/07/16 21:22:50.114 (pid 7277)server/ldap/moreinfo#1184620970114
NSLookup succeeded: "xxxx.xxx.xxx." returned xxx.xxx.xxx.xxx
2007/07/16 21:22:50.114 (pid 7277)server/ldap/moreinfo#1184620970115
Service lookup succeeded: "_gc._tcp.xxx.xxx." returned 192.168.15.21:3268 192.168.15.20:3268
2007/07/16 21:22:50.122 (pid 7277)server/ldap/warningerror#1184620970122
Sun Secure Global Desktop Software (4.31) WARNING:
Active Directory service discovery partially failed: Encountered ASN.1 tag 48 (expected tag 10)
Looking up Global Catalog DNS name: _gc._tcp.xxx.xxx. - HIT
Looking for GC on server: Active Directory:xxx.xxx.xxx.xxx:/xxx.xxx.xxx.xxx:3268:Up - ERROR
Failed to discover some Active Directory Site, Domain or server data.
This might mean LDAP users cannot log in.
The difference between what I did and the docs is, I'm running windows 2000 for my AD, and we have a seperate CA that signed the certs. I've installed the ROOT CA cert on both of the AD servers and on my SGD box.
Does anyone know what might be causing this type of error?
# 4
Ok, so we upgraded the AD to win2k3. I have a new set of issues, I believe they stem from us not using the windows CA, but using an external one instead.
We've generated requests from the SGD server and the Domain Controller, and had them signed, and installed them on each one. I've also installed the Root CA Cert onto the windows machine and into the cacerts area for SGD.
The error I get now is this:
Active Directory service discovery partially failed: [LDAP: error code 52 - 00000000: LdapErr: DSID-0C090CF0, comment:
Error initializing SSL/TLS, data 0, vece^@]
Looking up Global Catalog DNS name: _xx._tcp.xxxx.xxx. - HIT
Looking for GC on server: Active Directory:xxxxxx.xxxx.xxx:/xxx.xxx.xxx.xxx:3268:Up - ERROR
From searching the internet I'm under the impression that this means there was a problem with the certificate chain. Has anyone ever tried to setup SGD using AD (with "Use Certificates" enabled to allow changing expired passwords.) with an external CA?
Thanks for any help,
Jason
