Hello everybody.
I'm running SSGD 4.41.909 on SuSE Linux Enterprise Server 10+Sp2 (x86_32bit) and I configured it to perform KERBEROS authentication against a Windows 2003R2 server.
Everything worked fine so I decided to give SSL+Client Ceritifcate a try.
I configured the Win2003R2 server as per the manual and I also:
. imported the Active Directory root CA into SSGD trustore (/opt/tarantella/bin/jre/lib/security/cacerts)
. created a new key and a CSR using the keytool
. signed the above CSR with the Active Directory CA
. imported the just signed certificate info SSGD keystore (/opt/tarantella/var/info/certs/sslkeystore)
With the keytool I'm able to verify that the keystore does actually contains a valid CLIENT certificate:
/opt/tarantella/bin/jre/bin/keytool -list \
-keystore /opt/tarantella/var/info/certs/sslkeystore \
-keypass "$(cat /opt/tarantella/var/info/key)" \
-storepass "$(cat /opt/tarantella/var/info/key)"
Keystore type: JKS
Keystore provider: SUN
Your keystore contains 2 entries
testssgd, Dec 17, 2008, PrivateKeyEntry,
Certificate fingerprint (MD5): 33:3B:41:EC:A2:4C:FF:02:D7:0D:D8:2D:EB:B2:2A:2B
ssgd_client_cert, Dec 17, 2008, trustedCertEntry,
Certificate fingerprint (MD5): DE:6B:BA:28:39:6B:B2:7B:51:F5:F2:6B:41:6E:6B:C1
As you can see, the ssgd_client_cert is indeed available into the sslkeystore.
Next, I configured SSGD as follows:
Step4: LDAP Repository Details
Repository Type: (*) Active Directory
URLs: ad://zen.strhold.it
Connection Security: () Kerberos
(*) SSL
[x] Client Certificate Used
Active Directory Base Domain: zen.strhold.it
Active Directory Default Domain: zen.strhold.it
[Next]
I did not have any errors when I clicked over [Next] and the same went when I selected the [Finish] button.
I logged out of the Admin console, restarted the SSGD server and tried to login using an Active Directory VALID user but here's what I got:
Sun Secure Global Desktop Software (4.41) WARNING:
Could not find a client certificate to use to authenticate the
connection to the Active Directory server
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the Active Directory.
A known resolution to this warning is:
- Import a client certificate for this server into the SGD keystore.
For more information on how to do this, consult the SGD Administration
Guide.
2008/12/17 17:16:36.246 (pid 18920) server/ad/warningerror #1229530596247
Sun Secure Global Desktop Software (4.41) WARNING:
Failed to connect to the global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'.
Reason:
[LDAP: error code 49 - 8009030C: LdapErr: DSID-0C09048B, comment: The server did not receive any credentials via TLS, data 0, vece]
Global catalog:
'Active Directory:win2003r2.zen.strhold.it:/192.168.68.1:3268:Up'
cannot be used to retrieve data from the forest.
To help troubleshoot this warning,
- Verify that this global catalog is available on the network.
- Verify that SGD can resolve the global catalog's hostname via DNS.
- Verify that SGD can connect to port 3268 on the global catalog.
- Verify that this server is a global catalog for the forest.
I'm pretty sure I do have a client certificate into SSGD keystore (as demonstrated by the keytool utility).
Am I missing something or what?
Things I've already cheched:
. both the SSGD and Windows server clocks are in synch
. the DNS server (on Windows) is able to resolve the names of the boxes in both forward and reverse mode
. no firewall is operating between the boxes
Thanks,
Rob