my previous response sucked, so I went digging. Here's what I came up with: http://www.microsoft.com/downloads/details.aspx?FamilyId=779DEDAA-2687-4452-9 01E-719CE6EC4E5A&displaylang=en I think the relevant portion starts on page 41, but it might help to scan through the whole thing to see if the scenario fits your situation. Sincerely,
Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Deji Akomolafe Sent: Fri 2/10/2006 10:24 AM To: [email protected] Subject: RE: [ActiveDir] SSL to ADAM with a vanity URL It is the SUBJECT_ALT_NAME The SUBJECT name will be the "vanity url" Mr. Oteece mentioned, and the SUBJECT_ALT_NAME will be the FQDN of the 2 servers involved. I just did a quick "SUBJECT_ALT_NAME site:microsoft.com" google query and came up empty. That's surprising because I think that this is documented somewhere at MS. I remember doing this for Live Communication Server 2005 deployments. IIRC (can't test to verify now, sorry), you configure this on the CA by doing certutil -setreg policy<something or the other (again, I don't remember the full syntax). I think the attribute is called something like attributesubjectaltname. After you get that going then you do SAN:DNS=thevanityurl&DNS=server1FQDN&DNS=server2FQDN Hope that gives you enough pointers Sincerely, Dèjì Akómöláfé, MCSE+M MCSA+M MCT Microsoft MVP - Directory Services www.readymaids.com - we know IT www.akomolafe.com Do you now realize that Today is the Tomorrow you were worried about Yesterday? -anon ________________________________ From: [EMAIL PROTECTED] on behalf of Eric Fleischman Sent: Fri 2/10/2006 9:34 AM To: [email protected] Subject: RE: [ActiveDir] SSL to ADAM with a vanity URL The client wants to get a cert back with a name that matches the resource it connects to. Else, you connected to a resource but got a cert for a non-matching resource, so perhaps there was something like DNS spoofing that tricked you in to going there. This is potentially bad. Set up each instance to have a cert with a name that matches the vanity URL and put that cert in the ADAM service store. Ensure the cert is marked for server auth. ADAM will pick it up directly this way, not ask SCHANNEL what the right cert is, and you can party on like it's 1999. There is a way to do this w/o a matching name, something about putting it in another field (perhaps it was alt subject, I'm not sure). I don't know, I'm not much of a cert guy. I talked with the cert people once who said this should work and a customer confirmed it. ~Eric ________________________________ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Friday, February 10, 2006 9:22 AM To: [email protected] Subject: [ActiveDir] SSL to ADAM with a vanity URL Is it possible to setup two ADAM instances and have them both respond to the same "vanity url" over ssl? Both ADAMs are running on the same port. I currently just have a RR DNS record with both entries in it for testing. I have an SSL cert with the new name installed on both systems. Connections without SSL work fine, but SSL binds fail. Is this a supported config? Any ideas why it is not working? List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
