I'm setup a new Active Directory on my Windows server (Windows server 2008 R2).
And it is working fine for port 389. I need use LDAPS protocol to modify password from other system.
According to this post https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority, the only thing is import a certificate for enable LDAPS.
But when I imported the SSL certificate and restart the domain controller, I cannot see port 636 is opening.
My SSL certificate is issued by GeoTrust, and using for website. The website domain same with AD DS FQDN. I'm not sure is it OK.
How can I check what's the problem ?
I would start by check the certificate enhanced key usage, make sure the Server Authentication (1.3.6.1.5.5.7.3.1) are in the enhanced key usage. This can be done by open the certificate and click on "details" tab and scroll to "Enhanced Key Usage"
On the domain controller open an MMC and add certificate snap-in with local computer and verify if the certificate is in the personal certificates. If the certificate is there you can double-click on the certificate under General tab did you see a line at the bottom stating "You have a private key that corresponds to this certificate."?
When you say "I cannon see port 636 is opening" how are you doing about doing that? Did you run netstat on the domain controller to see if the server is listing?
syntax: netstat -an | find "636"
-a display connection and listening ports
-n display ip
find "636" is to filter for port 636. Because this is a domain controller you will have a lot of connections.
Also, if you have access to openssl you can try the following
syntax: openssl s_client -connect domain_controller_ip:636
if the certificate configure properly and the domain is listening to port 636/tcp. you will get the certificate information return.
The problem is certificate not match.
My AD domain is xyz.com, I thought my certificate Common Name should be xyz.com, it's wrong.
The right Common Name of the certificate should be Full computer name or Computer name+Domain. My computer name is ad, then I need the Common Name is ad.xyz.com of the certificate.
Related
I am having trouble setting up two postgres servers to communicate via Trusted, Verified SSL using DBLink.
My setup:
2x Windows Server 2016 on AWS hosted with EC2
One computer is the "Client", the other computer is the "Server"
On each Server, I have Postgres 9.6. (Installed via the BigSQL Gui installer)
I am trying to get "Client" to do "Verified, Full" SSL with the "Server" via dblink.
Here's the steps I am taking to setup.
"Server" postgresql.conf Settings
ssl = on
..
ssl_cert_file = 'server.crt' # The cert that I got from SSLForFree.com
ssl_key_file = 'server.key' # The private key that I got from SSLForFree.com
"Server" pg_hba.conf Settings
# TYPE DATABASE USER CIDR-ADDRESS METHOD
# IPv4 local & remote connections:
host all all 127.0.0.1/32 trust
#host all all 0.0.0.0/0 md5
# IPv6 local connections:
host all all ::1/128 trust
hostssl all all 0.0.0.0/0 md5 # new
"Client" Computer
I put the Let's Encrypt Root Certificate and CA Bundle in this file.
C:/PostgreSQL/data/pg96/root.crt
The command I am running in "Client" in PSQL.
SELECT * FROM dblink( 'dbname=postgres port=5432 host=test.example.com user=postgres password=123456 sslmode=verify-ca sslrootcert=C:/PostgreSQL/data/pg96/root.crt', 'SELECT now()::TEXT;') AS t(a Text);
My error
ERROR: could not establish connection
DETAIL: SSL error: certificate verify failed
Any idea what I am doing wrong?
Solved it. It turns out I needed to add the full trust chain in the cert file on my "Server".
I used the comodo 90 day cert instead of the lets encrypt cert.
Heres now I laid out the server.crt on the "Server"
The freshly issued comodo cert ontop.
The 2 comodo intermediate certs.
The root comodo cert
I used this tool to check my chaining. https://tools.keycdn.com/ssl
I configured successfully SSL on Microsoft SQL Server 2012 Express Edition for the purpose of encrypting external network connections to the database that are made through Internet. For performance reasons for internal clients on the network I do not want to force the use of SSL and leave to the clients the option of use it or not. I set Force Encryption to No with the following steps:
Sql Server Configuration Manager
Sql Server Network Configuration
Protocols for (MYSQLSERVERNAME)
Right click: Properties
Flags tab.
When I try to establish an encrypted connection with Microsoft Sql Server Management Studio checking Encrypt connection option on Options > Connection Properties I get the following error.
A connection was successfully established with the server, but then an error occurred during the login process. (provider: SSL Provider, error: 0 - The target principal name is incorrect.) (Microsoft SQL Server, Error: -2146893022)
What is striking is that if I select Force Encryption as Yes on Sql Server Configuration Manager and I not select Encrypt connection on Microsoft Sql Server Management Studio I can connect to the database. If I execute the query:
select * from sys.dm_exec_connections
In fact the column encrypt_option is TRUE.
The certificate was generated with Openssl and this is the information:
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 2 (0x2)
Signature Algorithm: sha256WithRSAEncryption
Validity
Not Before: Jun 9 15:53:18 2016 GMT
Not After : Jun 9 15:53:18 2018 GMT
Subject: C=US, ST=State, L=Location, O=Testing, OU=Development, CN=JOSEPH-ASUS
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
...
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Subject Key Identifier:
DB:7F:58:DC:F7:D9:90:2A:DF:0E:31:84:5C:49:68:E7:61:97:D8:41
X509v3 Authority Key Identifier:
keyid:C9:5C:79:34:E0:83:B2:C7:26:21:90:17:6A:86:88:84:95:19:88:EA
X509v3 Basic Constraints:
CA:FALSE
X509v3 Key Usage:
Key Encipherment, Data Encipherment
X509v3 Extended Key Usage:
TLS Web Server Authentication
Netscape Comment:
OpenSSL Generated Certificate
X509v3 Subject Alternative Name:
DNS:alternatename1, DNS:alternatename2, IP Address:192.168.1.100, IP Address:192.191.1.101, IP Address:192.168.1.103
Signature Algorithm: sha256WithRSAEncryption
...
The current OS is Windows 10 Home.
What I'm missing?
I had the same issue and got resolved by adding TrustServerCertificate=True; to the connection string.
I received this error when I was doing something similar. I also created a certificate from OpenSSL and imported it into SQL Server. I also used SQL Server Management Studio to attempt to verify that the client side copy of the certificate was required. When I did this I got the error described above.
The solution was simply that in the window to connect I was not using the CN that is on the certificate:
Instead of 127.0.0.1 (or whatever you have there) put the CN on the certificate and this connection should work.
The certificate generated with OpenSSL work properly. In my case the problem was rights of the account under which runs MSSQL over the certificate, I solved this issue with the follow steps:
Open SQL Server Configuration Manager.
Locate the account which is used to run MSSQL instance (Log On tab on MSSQL instance Properties).
Open MMC Console and add Certificates (Local Machine) snap-in.
Search the certificate store, right click on certificate and select All Tasks -> Manage Private Keys....
Set the Permissions to the same account under which MSSSQL runs.
I got this error when trying to connect via sqlcmd to a server which required windows integrated authentication (option -E) but accidentally used Azure Active Directory Authentication (option -G). Selecting the correct flags fixed it for me. Note that this is the equivalent of including Trusted_Connection=True in the connection string.
It's possible that your Server Certificate is using a *.domain name.
Make sure your SQL server has a certificate with a fully qualified name (sqlserver.yourcompany.com, not just *.yourcompany.com)
I used to get this same error when I had a *.mycompany.com certificate installed, but when I tried with a self-signed certificate specifically made for that SQL server, Then everything worked.
The steps are as follows:
Assuming you have already generated a certificate and it's in your machine
In certificate manager find your certificate, right click, all tasks, manage public keys, Allow the SQL server user (usually NT service\MSSQLSERVER) access to the private keys.
From certificate manager, export the cert without private keys and import them into a client machine
Open SQL server configuration manager > network > protocols > right click > certificate, select the new certificate. apply
Restart the SQL server instance
I am trying to configure SQL Server 2014 so that I can connect to it remotely using SSL. A valid, wildcard cert is installed on the server, and the cert's domain name (example.com) matches the server's FQDN (test.windows-server-test.example.com).
The problem is that in SQL Server Configuration Manager, the certificate is not listed, so I cannot select it.
That is, I am stuck on step 2.e.2 from this MS tutorial.
After communication in comments I can suppose that your main problem is the CN part of the certificate which you use. To have successful TLS communication for IIS Server one have no such strong restrictions like SQL Server has.
Microsoft require (see here) that The name of the certificate must be the fully qualified domain name (FQDN) of the computer. It means that the Subject part of the certificate looks like CN = test.widows-server-test.example.com, where test.widows-server-test.example.com is the FQDN of your computer. It's not enough that you use for example CN = *.example.com and Subject Alternative Name, which contains DNS Name=*.example.com and DNS Name=test.widows-server-test.example.com, DNS Name=test1.widows-server-test.example.com, DNS Name=test.widows-server-test2.example.com and so on. Such certificate will be OK for TLS, but SQL Server will discard it. See the article, which describes close problems.
I recommend you to create self-signed certificate with CN equal to FQDN of the SQL Server and to verify that the certificate will be seen by SQL Server Configuration Manager.
UPDATED: I analysed the problem a little more with respect of Process Monitor and found out that two values in Registry are important for SQL Server Configuration Manager: the values Hostname and Domain under the key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
If I change Domain and Hostname to the values which corresponds CN of the certificate then the certificate will be already displayed in the SQL Server Configuration Manager. It could be not all problems, but it shows that SQL Server required much more as a web server (IIS for example).
UPDATED 2: I examined the problem once more in details and I think I did found the way how one can configure common SSL certificate which you already have (for example free SSL certificated from Let's Encrypt, StartSSL or some other).
It's important to distinguished what do SQL Server Configuration Manager from the configuration required by SQL Server. The Certificate tab of the properties of the Configuration Manager have more hard restrictions as SQL Server. I describe above only the restrictions of SQL Server Configuration Manager, but one can make configuration directly in the Registry to use more common SSL/TLS Certificate by SQL Server. I describe below how one can do this.
What one need to do one can in the Registry under the key like HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Microsoft SQL Server\MSSQL12.SQL2014\MSSQLServer\SuperSocketNetLib, where the part MSSQL12.SQL2014 can be a little different in your case. The SQL Server Configuration Manager help us to set two values in the registry: ForceEncryption and Certificate:
The Certificate value is SHA1 hash which can be found by examining the properties of the certificate:
or extended properties of the certificate, which you see by usage certutil.exe -store My:
One need just copy the "Cert Hash(sha1)" value, remove all spaces and to place as the value of Certificate value in the Registry. After making the settings and restarting SQL Server windows service one will see in file ERRORLOG in C:\Program Files\Microsoft SQL Server\...\MSSQL\Log directory the line like
2016-04-25 21:44:25.89 Server The certificate [Cert Hash(sha1)
"C261A7C38759A5AD96AC258B62A308A26DB525AA"] was successfully loaded
for encryption.
I want to add this for future folks that may stumble on a similar issue I encountered with SQL 2016 SP2 and failover cluster. The certificate thumbprint added to the registry had to be all upper case.
Hope this helps the next guy.
Once I followed steps in Updated 2 section of accepted answer, I can't start the SQL Server service, got those errors in Event Viewer:
Unable to load user-specified certificate [Cert Hash(sha1) "thumbprint of certificate"]. The server will not accept a connection. You should verify that the certificate is correctly installed. See "Configuring Certificate for Use by SSL" in Books Online.
TDSSNIClient initialization failed with error 0x80092004, status code 0x80. Reason: Unable to initialize SSL support. Cannot find object or property.
TDSSNIClient initialization failed with error 0x80092004, status code 0x1. Reason: Initialization failed with an infrastructure error. Check for previous errors. Cannot find object or property.
got error in SQL Server error log:
The server could not load the certificate it needs to initiate an SSL connection. It returned the following error: 0x8009030d. Check certificates to make sure they are valid.
googled it and found out a solution:
Make sure the windows account running SQL Server service (NT Service\MSSQLServer in my case) has full permissions to the following folders/register entry:
C:\Program Files\Microsoft SQL Server[Your Sql Server Instance]\MSSQL\
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
HKLM\System\CurrentControlSet\Services\WinSock2\Parameters
I checked No.1 NT Service\MSSQLSERVER has already had the permission.
I checked No.2, NT Service\MSSQLSERVER has no permission and I added the permission. It popped up an error saying one of files in that folder was denied the operation, but I just ignored it (nothing else I can do)
I didn't check No.3 and tried starting SQL Server, it worked!!
I faced similar issue in SSRS, wherein certificate issued by microsoft active directory CA was not visible in the dropdown in SSRS. After lot of searches, trial and error I could fix it by following this link.
https://learn.microsoft.com/en-us/archive/blogs/sqlserverfaq/can-tls-certificate-be-used-for-sql-server-encryption-on-the-wire
Brief of it is as below:
The Subject property of the certificate must indicate that the common name (CN) is the same as the host name or fully qualified domain name (FQDN) of the server computer.
So in our case we suggested to request the Certificate Authority to change the Subject name to ABC-SQLServer.abc.local (FQDN of SQL Server) instead of abc-corp.abc.com
Once this change was done, we loaded certificate again in MMC and now we could see the certificate loaded in SQL Server Configuration Manager!
Hope it helps someone facing same issue!
I was still having problems even after following the above. This is my fix:
in the certificates mmc right click the certificate All tasks->Manage Pricate Keys. Give the service account full control. In my case I am using NT Service\MSSQL$
SQL Server 2019
I found that the certificate thumbprint had to be entered into the certificate registry key in lower case for Configuration Manager to see it.
SQL Server will read the registry value and use it whether the registry key is in upper or lower case.
But configuration Manager will only display it if it is in lower case
I logged on to the server with SQL Server domain account( had to add the account to local admins temporarily) and imported the certificate in personal folder of the SQL Server service account. rebooted the server, and then SQL Server could see the certificate. Hope it helps someone.
An additional failure mode is key length - SQL requires a minimum keylength of 2048. With DH channel disabled.
I have also run into an issue copying out of the MMC as detailed in the article here. Using the certutil and copying that into the registry value worked perfectly.
My problem was that the Certificate Store was for WebHosting, but to see the certificate in SSRS it must be Personal.
USE UPPER CASE for Certificate in Registry editor LOL
Still not shown in config manager but TLS is working for SQL connections.
I have installed windows server 2008 and on this I had added Roll "Active Directory Domain Services". Now I have added a computer (windows 7) under this domain and which have installed collabnetEdge subversion. Now I am trying to connect "LDAP authentication against an LDAP server" but it is giving error “The server could not bind to port ‘3343’. Check permission to use the port and that another process is not using the port.”
In Server Pc under the Domain I have created a OU named OrgUnit and under this OU I had created an user.
Now my setting is given below:
Server Setting :
Authentication :
Now these two setting saved successfully but when I start collabnetEdge server it gives error "The server could not bind to port ‘3343’. Check permission to use the port and that another process is not using the port". I have changed port but same error occurs. Please help me out.
Your LDAP Settings look good, but it is impossible to know for sure.
Your problem is on the first page where you specified port 3343. You cannot do that. The port number you are specifying is the one you want your Apache Subversion server to use. This has to be an unused port. Normally you want it to be port 80 or 443 depending on whether or not you are using SSL.
Since you are going to use your AD credentials, using SSL is a good idea. So I would check the box for Apache encryption and use port 443.
Port 3343 is the port that the SVN Edge console is using. So it will always be in use and could not be used.
Background Information:
I have a single Window VPS at example.com.
I have it running IIS and SQL Server.
I have a certificate for example.com that works fine with IIS.
I want to use the same certificate for SQL Server to allow encrypted connections with clients.
SQL Server Configuration Manager does not present the certificate in the drop down.
I believe the problem is that SQL Server does not think the certificate is valid, because what SQL Server thinks the server name is does not match the certificate (example.com).
How do I check what SQL Server thinks the server name is? If it is wrong how would I change it?
Okay I found out the issue.
The hostname on my machine was wrong. It wasn't "example.com", but some name randomly generated by windows. You can set this in the computer's properties window.
The certificate was not registered to be used on port 1433. I had to use netsh to enable the certificate to be used on port 1433. Instructions here: http://msdn.microsoft.com/en-us/library/ms186362(v=SQL.100).aspx
Those two steps where complete I got the certificate to show up in SQL Server Configuration Manager, but I still had a problem went I attempt to run SQL Server. It would not start with a message from the logs saying it could not find or read the SSL Certificate.
The last step was making sure the account running SQL Server had permission to read the certificate. I went into the certificate snap-in and then went to properties under the certificate, then on the Security tab I gave the Network Services account read permission on the certificate. (NOTE: I did not find any tutorials online reference this step. It was just some dumb luck that I found this.)
After those steps where complete the SQL Server Service start up with out any problem.