Steve What you need is the Windows root CA cert that you placed on to the FreeRadius box. Use the same PEM file as input on the box you are executing the LDAP/Browser/Editor (LBE) from - this is the c:\temp\somedc.ca.pem file I refer to in the documentation below. I used LBE from a Windows box with the Sun Java run time installed - works just fine.
Tarun -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Tuesday, 23 March 2004 6:36 AM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK Tarun, everything looks OK from LDP.exe, at least I am able to connect and browse. But with ldapbrowse I am getting "CA certificate is not in server certificate chain." So to back up a bit the certificate that I need on the freeradius box is the one you can retrieve via the web interface on the m$ certificate server when you select "Retrieve the CA certificate or CRL" radio button? "Tarun Bhushan" <[EMAIL PROTECTED]> Sent by: [EMAIL PROTECTED] 03/21/2004 04:56 PM Please respond to [EMAIL PROTECTED] To<[EMAIL PROTECTED]> cc SubjectRE: Using freeradius to authenticate users to a Windows 2000 AD Steve Looks like the LDAPS connection from non-Windows-native clients is not working properly. From a Windows workstation (not on the AD machine) first try LDP.EXE (Microsoft Win2K Support Tools LDAP utility) with SSL flag set to get to your AD LDAP server and see if this works. This shows if LDAPS is working from a Windows Native point-of-view. Next, try LDAP Browser/Editor (http://www.iit.edu/~gawojar/ldap/) to access the AD with LDAPS - (on Windows you will need Sun Java), import your AD root CA cert (use the same PEM file as used before - see the documentation below). If you can connect now, this will provide an indication that connection from "non-Windows-native" clients works with LDAPS. Once that works, you can then go on from there. Regards Tarun ===================== Doc - is a sample session ============================ C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 15 entries thawtepersonalfreemailca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 1E:74:C3:86:3C:0C:35:C5:3E:C2:7F:EF:3C:AA:3C:D9 baltimorecodesigningca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 90:F5:28:49:56:D1:5D:2C:B0:53:D4:4B:EF:6F:90:22 thawtepersonalbasicca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): E6:0B:D2:C9:CA:2D:88:DB:1A:71:0E:4B:78:EB:02:41 gtecybertrustglobalca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): CA:3D:D3:68:F1:03:5C:D0:32:FA:B8:2B:59:E8:5A:DB verisignclass3ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 78:2A:02:DF:DB:2E:14:D5:A7:5F:0A:DF:B6:8E:9C:5D thawteserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): C5:70:C4:A2:ED:53:78:0C:C8:10:53:81:64:CB:D0:1D thawtepersonalpremiumca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 3A:B2:DE:22:9A:20:93:49:F9:ED:C8:D2:8A:E7:68:0D verisignclass4ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 1B:D1:AD:17:8B:7F:22:13:24:F5:26:E2:5D:4E:B9:10 baltimorecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): AC:B6:94:A5:9C:17:E0:D7:91:52:9B:B1:97:06:A6:E4 verisignclass1ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 51:86:E8:1F:BC:B1:C3:71:B5:18:10:DB:5F:DC:F6:20 verisignserverca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): 74:7B:82:03:43:F0:00:9E:6B:B3:EC:47:BF:85:A5:93 thawtepremiumserverca, 12/02/1999, trustedCertEntry, Certificate fingerprint (MD5): 06:9F:69:79:16:66:90:02:1B:8C:8C:A2:C3:07:6F:3A gtecybertrustca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): C4:D7:F0:B2:A3:C5:7D:61:67:F0:04:CD:43:D3:BA:58 gtecybertrust5ca, 10/05/2002, trustedCertEntry, Certificate fingerprint (MD5): 7D:6C:86:E4:FC:4D:D1:0B:00:BA:22:BB:4E:7C:6A:8E verisignclass2ca, 29/06/1998, trustedCertEntry, Certificate fingerprint (MD5): EC:40:7D:2B:76:52:67:05:2C:EA:F2:3A:4F:65:F0:D8 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts" Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Program Files\Java\j2re1.4.1_03\lib\security\cacerts] C:\Program Files\Java\j2re1.4.1_03\bin>keytool -list -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Keystore type: jks Keystore provider: SUN Your keystore contains 6 entries 1049851423488, 9/04/2003, trustedCertEntry, Certificate fingerprint (MD5): 71:C5:05:89:08:BC:78:96:20:45:E2:0E:FD:89:E8:72 1042686583627, 16/01/2003, trustedCertEntry, Certificate fingerprint (MD5): D9:11:9E:1A:CE:C5:C4:29:2F:E6:DE:EB:C0:E8:12:0D 1047532540747, 13/03/2003, trustedCertEntry, Certificate fingerprint (MD5): 90:81:E7:42:CA:D8:90:A7:59:A5:0E:D3:0E:20:1E:B0 1042609942072, 15/01/2003, trustedCertEntry, Certificate fingerprint (MD5): F0:C3:1D:07:F7:20:7E:95:97:73:53:76:12:9B:D4:14 1046156863186, 25/02/2003, trustedCertEntry, Certificate fingerprint (MD5): F3:04:1F:F2:73:4F:C3:0D:C1:FA:5C:4C:D3:C6:13:1A 1042179593031, 10/01/2003, trustedCertEntry, Certificate fingerprint (MD5): A0:AD:08:60:83:1B:C3:50:72:7B:95:92:5A:67:E3:91 C:\Program Files\Java\j2re1.4.1_03\bin>keytool -import -v -alias somecompany_ad_ca -file c:\temp\somedc.ca.pem -keystore "C:\Tools\ldapbrowser\lbecacerts" Enter keystore password: changeit Owner: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Issuer: CN=somedc.somecompany.com, OU=etc..., [EMAIL PROTECTED] Serial number: something Valid from: <date> until: <date) Certificate fingerprints: MD5: something SHA1: something Trust this certificate? [no]: yes Certificate was added to keystore [Saving C:\Tools\ldapbrowser\lbecacerts] ============================ End Doc ================================== -----Original Message----- From: Steve OBrien [mailto:[EMAIL PROTECTED] Sent: Sunday, 21 March 2004 12:28 PM To: [EMAIL PROTECTED] Subject: RE: Using freeradius to authenticate users to a Windows 2000 AD OK I got that problem fixed on the windows side. Now I am getting an immediate access-reject here is the debug: <snip> NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html NOTICE This e-mail and any attachments are confidential and may contain copyright material of Macquarie Bank or third parties. If you are not the intended recipient of this email you should not read, print, re-transmit, store or act in reliance on this e-mail or any attachments, and should destroy all copies of them. Macquarie Bank does not guarantee the integrity of any emails or any attached files. The views or opinions expressed are the author's own and may not reflect the views or opinions of Macquarie Bank. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
