RE: Using freeradius to authenticate users to a Windows 2000 AD

Mon, 22 Mar 2004 11:38:22 -0800


OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse.  But with ldapbrowse I am getting "CA certificate is not in server certificate chain."  So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select  "Retrieve the CA certificate or CRL" radio button?




"Tarun Bhushan" <[EMAIL PROTECTED]>
Sent by: [EMAIL PROTECTED]

03/21/2004 04:56 PM

Please respond to
[EMAIL PROTECTED]
To
<[EMAIL PROTECTED]>
cc
Subject
RE: Using freeradius to authenticate users to a Windows 2000 AD





Steve

Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS.

Once that works, you can then go on from there.

Regards
Tarun

===================== Doc - is a sample session ============================

C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 15 entries

thawtepersonalfreemailca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9
baltimorecodesigningca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22
thawtepersonalbasicca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41
gtecybertrustglobalca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB
verisignclass3ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D
thawteserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D
thawtepersonalpremiumca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D
verisignclass4ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10
baltimorecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4
verisignclass1ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20
verisignserverca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93
thawtepremiumserverca, 12/02/1999, trustedCertEntry,
Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A
gtecybertrustca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58
gtecybertrust5ca, 10/05/2002, trustedCertEntry,
Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E
verisignclass2ca, 29/06/1998, trustedCertEntry,
Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8

C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts"
Enter keystore password:  changeit
Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
        MD5:  something
        SHA1: something
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts]

C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password:  changeit

Keystore type: jks
Keystore provider: SUN

Your keystore contains 6 entries

1049851423488, 9/04/2003, trustedCertEntry,
Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72
1042686583627, 16/01/2003, trustedCertEntry,
Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D
1047532540747, 13/03/2003, trustedCertEntry,
Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0
1042609942072, 15/01/2003, trustedCertEntry,
Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14
1046156863186, 25/02/2003, trustedCertEntry,
Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A
1042179593031, 10/01/2003, trustedCertEntry,
Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91

C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts"
Enter keystore password:  changeit
Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED]
Serial number: something
Valid from: <date> until: <date)
Certificate fingerprints:
        MD5:  something
        SHA1: something
Trust this certificate? [no]:  yes
Certificate was added to keystore
[Saving C:\Tools\ldapbrowser\lbecacerts]

============================ End Doc ==================================

-----Original Message-----
From: Steve OBrien [mailto:[EMAIL PROTECTED]
Sent: Sunday, 21 March 2004 12:28 PM
To: [EMAIL PROTECTED]
Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD


OK I got that problem fixed on the windows side.  Now I am getting an immediate access-reject here is the debug:

<snip>


NOTICE
This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank.


-
List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html

Reply via email to