MORE INFORMATION

Active Directory server requirements:

• Install Microsoft Internet Explorer High Encryption Pack.
• Enable SSL.
• Install the certification authority (CA).

Active Directory client requirements:

• Install Internet Explorer High Encryption Pack.
• Check that the certificate from the CA is available.

Verify the Active Directory server requirements

1. Make sure that the Internet Explorer High Encryption Pack is installed. Also make sure that SSL is enabled on the server. To do this, follow these steps:
   1. Make sure that the Internet Explorer High Encryption Pack is installed.
      
      For additional information about how to make sure that the Internet Explorer High Encryption Pack is installed, click the following article numbers to view the articles in the Microsoft Knowledge Base:

      319970 How to use the Address Book to test SSL connectivity

      Note Active Directory is not a choice on earlier versions of clients. You have to create a new directory service. See the "To configure the Address Book with downlevel clients" section of the following article: For additional information about how to create a new directory service, click the following article number to view the article in the Microsoft Knowledge Base:

      238007 How to configure the Address Book to query users contained in Active Directory

   2. Programmatically verify the cipher strength. To do this, read the following article:

      259122 How to programmatically determine the cipher strength on Windows

   3. Enable SSL communication over LDAP on the server. To do this, read the following article:
      

      247078 How to enable Secure Socket Layer (SSL) communication over LDAP for Windows 2000 Domain Controllers

   4. If you have to download the Internet Explorer High Encryption Pack, visit the following Microsoft Web site:

      http://www.microsoft.com/windows/ie/downloads/recommended/128bit/default.mspx

2. Make sure that the CA is installed on the server. To do this, follow these steps:
   1. Use any one of the following methods to make sure that CA CertSrv is installed on the server:
      • Make sure that the server certificate is installed. To do this, check Microsoft Internet Information Services (IIS) administration to make sure that the CertSrv Web site exists. Or, locate http://MachineName/CertSrv.
        
        The default certificates request forms may appear in your browser.
      • Look in the system event log on the server computer and on the client computer for schannel events.
        
        On the server side, you may see an event that indicates that no default server certificate is found. On the client side, you may see an event that indicates that the server certificate failed authentication. These events may indicate what is wrong.
      • Use Network Monitor to make a trace of the attempted connection. Verify that the server is sending back the Verisign certificate. If the server is not sending back the Verisign certificate, you probably do not have your server authentication certificate installed. Instead, you are receiving the default server certificate. If the server certificate is returned by the server, the name of the server that you expected to connect to may not match the name on the certificate. The name of the server that is issued to the ldap_init()/ldap_ssl_init()/ldap_open()/ldap_connect() function must match the name of the server that is indicated on the server certificate.
   2. For additional information about how to install the CA, click the following article number to view the article in the Microsoft Knowledge Base:

      231881 How to install/uninstall a public key certificate authority for Windows 2000

Verify the Active Directory client requirements

1. Install the Internet Explorer High Encryption Pack on the Active Directory client. To do this, follow these steps:
   1. Check the cipher strength on the Active Directory client. To do this, read the following article:

      259122 How to programmatically determine the cipher strength on Windows

      For additional information about setting LDAP session options, visit the following Microsoft Developer Network (MSDN) Web site:

      http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ldap/ldap/setting_session_options.asp

   2. If the Internet Explorer High Encryption Pack is not installed, you must install it. For additional information about how to install the Internet Explorer High Encryption Pack, visit the following Microsoft Web site:

      http://www.microsoft.com/windows/ie/ie6/downloads/recommended/128bit/default.mspx

      Note This link also provides information about Microsoft Internet Explorer client versions that support 128-bit encryption.
2. Make sure that the Active Directory client has a certificate from the CA server. To do this, follow these steps:
   1. Pn the Active Directory client computer, click Start, and then click Control Panel.
   2. Double-click Internet Options, click the Content tab, and then click Certificates.
   3. Click Intermediate Certification Authorities, and then click Trusted Root Certification Authorities to verify that you can find the CA that issued the valid certificate for the server.
      
      
   4. Double-click the certificate, and then click the Details tab.
      
      The Details tab shows where the certificate was issued from.
   5. Click the Certification Path tab.
      
      You can see from where the certificate was issued and the status of the certificate.

Certificate requests

You can request a user certificate by using an Internet Explorer Active Directory client and then by locating CA-MACHINENAME/CertSrv.