Microsoft KB Archive/273753

= Description of the LDAP API over SSL requirements =

Article ID: 273753

Article Last Modified on 7/30/2007

-

APPLIES TO


 * Microsoft Active Directory Service Interfaces 2.5
 * Microsoft Active Directory Service Interfaces 2.5

-



This article was previously published under Q273753



INTRODUCTION
This article describes how to determine if the Active Directory server and the Active Directory client meet the requirements for using Lightweight Directory Access Protocol (LDAP) API over Secure Sockets Layer (SSL). This article describes is how to programmatically change the Active Directory unicodePwd (password) attribute by using LDAP API over SSL or by using the Active Directory Services Interfaces (ADSI) over SSL to set passwords.



MORE INFORMATION
Active Directory server requirements:
 * Install Microsoft Internet Explorer High Encryption Pack.
 * Enable SSL.
 * Install the certification authority (CA).

Active Directory client requirements:
 * Install Internet Explorer High Encryption Pack.
 * Check that the certificate from the CA is available.

Verify the Active Directory server requirements
 Make sure that the Internet Explorer High Encryption Pack is installed. Also make sure that SSL is enabled on the server. To do this, follow these steps:  Make sure that the Internet Explorer High Encryption Pack is installed.

For additional information about how to make sure that the Internet Explorer High Encryption Pack is installed, click the following article numbers to view the articles in the Microsoft Knowledge Base:

319970 How to use the Address Book to test SSL connectivity

Note Active Directory is not a choice on earlier versions of clients. You have to create a new directory service. See the &quot;To configure the Address Book with downlevel clients&quot; section of the following article: For additional information about how to create a new directory service, click the following article number to view the article in the Microsoft Knowledge Base:

238007 How to configure the Address Book to query users contained in Active Directory

 Programmatically verify the cipher strength. To do this, read the following article:

259122 How to programmatically determine the cipher strength on Windows

 Enable SSL communication over LDAP on the server. To do this, read the following article:

247078 How to enable Secure Socket Layer (SSL) communication over LDAP for Windows 2000 Domain Controllers

 If you have to download the Internet Explorer High Encryption Pack, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ie/downloads/recommended/128bit/default.mspx

  Make sure that the CA is installed on the server. To do this, follow these steps:  Use any one of the following methods to make sure that CA CertSrv is installed on the server: <ul> Make sure that the server certificate is installed. To do this, check Microsoft Internet Information Services (IIS) administration to make sure that the CertSrv Web site exists. Or, locate http://MachineName/CertSrv.

The default certificates request forms may appear in your browser.</li> Look in the system event log on the server computer and on the client computer for schannel events.

On the server side, you may see an event that indicates that no default server certificate is found. On the client side, you may see an event that indicates that the server certificate failed authentication. These events may indicate what is wrong.</li> Use Network Monitor to make a trace of the attempted connection. Verify that the server is sending back the Verisign certificate. If the server is not sending back the Verisign certificate, you probably do not have your server authentication certificate installed. Instead, you are receiving the default server certificate. If the server certificate is returned by the server, the name of the server that you expected to connect to may not match the name on the certificate. The name of the server that is issued to the ldap_init/ldap_ssl_init/ldap_open/ldap_connect function must match the name of the server that is indicated on the server certificate.</li></ul> </li> For additional information about how to install the CA, click the following article number to view the article in the Microsoft Knowledge Base:

231881 How to install/uninstall a public key certificate authority for Windows 2000

</li></ol> </li></ol>

Verify the Active Directory client requirements
 Install the Internet Explorer High Encryption Pack on the Active Directory client. To do this, follow these steps:  Check the cipher strength on the Active Directory client. To do this, read the following article:

259122 How to programmatically determine the cipher strength on Windows

For additional information about setting LDAP session options, visit the following Microsoft Developer Network (MSDN) Web site:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/setting_session_options.asp

</li> If the Internet Explorer High Encryption Pack is not installed, you must install it. For additional information about how to install the Internet Explorer High Encryption Pack, visit the following Microsoft Web site:

http://www.microsoft.com/windows/ie/ie6/downloads/recommended/128bit/default.mspx

Note This link also provides information about Microsoft Internet Explorer client versions that support 128-bit encryption.</li></ol> </li> Make sure that the Active Directory client has a certificate from the CA server. To do this, follow these steps:  Pn the Active Directory client computer, click Start, and then click Control Panel.</li> Double-click Internet Options, click the Content tab, and then click Certificates.</li> <li>Click Intermediate Certification Authorities, and then click Trusted Root Certification Authorities to verify that you can find the CA that issued the valid certificate for the server.

</li> <li>Double-click the certificate, and then click the Details tab.

The Details tab shows where the certificate was issued from.</li> <li>Click the Certification Path tab.

You can see from where the certificate was issued and the status of the certificate.</li></ol> </li></ol>

Certificate requests
You can request a user certificate by using an Internet Explorer Active Directory client and then by locating CA-MACHINENAME/CertSrv.

Additional query words: LDAP API SSL

Keywords: kbinfo kbmsg KB273753

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.