Tag Archives: AD

Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

So I’ve run into this problem multiple times and ‘hacked’ my way around it various ways, but there is a better way that doesn’t require the use of certutil.exe or any other console utilities.  This scenario applies under the following conditions:

  • CA (Certificate Authority) Server is running on Windows Server 2008 R2
  • Web Server is running on Windows Server 2008 R2
  • Both servers are members of the same domain
  • You want to use the Certificates snap-in
  • You want to stay away from the console if you can

By default, you cannot generate a web server certificate request directly from your servers and you are presented with this screen based on the default Active Directory Enrollment Policy:

001 denied

As you can see from the screenshot, most of the certificate templates are unavailable with the exception of the computer certificate template.

Continue reading Enable Web Server Certificate Requests On Windows Server 2008R2 CA Server

Install Certificate Services on Windows Server 2008 R2

This post picks up where the last post left off.  In the last post, we created a Windows Server 2008 R2 Active Directory Domain Controller and stopped short of going on to add Certificate Services into the mix.

If you’re not sure if you need certificate services for your environment, it never hurts to have it available.  It does not add much overhead so for development environments and small businesses you can consider adding the role to a DC (domain controller) as we are here.  Certificate Services will allow you to issue certificates to your internal resources, use client/server certificates for authentication, and set up SSL enabled websites.

I believe best practice is, and I’m sure someone will correct me if I’m wrong, to set up an Enterprise Root CA (Certificate Authority), then set up one or more subordinate CA’s.  You can then make your Root CA unavailable for access and have the subordinates handle all of the traffic without fear of compromising your Root CA.  In this tutorial, we’ll just be installing and configuring a Root CA, but the process is basically the same for the subordinates.

Now that you’ve got some background information, onto the installation/configuration of Windows Server 2008 R2 Certificate Services.

In ‘Server Manager’, select Roles in the left pane, then Add Roles in the right pane.  Place a check mark in the checkbox for Active Directory Certificate Services.  Then click Next.

002

Keep reading…

Continue reading Install Certificate Services on Windows Server 2008 R2

MOSS: An Unexpected Error Has Occurred

If you’ve worked with MOSS long enough, I’m sure you’ve seen this error.  The reasons that it occurs are numerous, and may even be blamed on poor error handling / reporting by the programmers.

If you’ve come across this error, and turned <customErrors /> off in your MOSS site’s web.config and it still occurs, you may have run into the issue that I did.

This can occur right after MOSS installation, or on a farm that has been up and running for some time, and this is something quick that you can check to make sure it’s not the reason, especially if your server is managed through AD or an admin that is really tight on server security.

My instance of this error was on a completely locked down Windows Server 2008 installation.  The cause was one setting that was applied through Active Directory (AD) Group Policy Objects (GPO), Use FIPS compliant algorithms for encryption, hashing, and signing.

Continue reading MOSS: An Unexpected Error Has Occurred

Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

In my last post, we created a VM (Virtual Machine) using VMware Workstation 6.5.2 running Windows Server 2003 R2.  If you’re getting started here with a VM of your own, or physical hardware, the current status of the VM for this tutorial is a standard Windows Server 2003 R2 installation, with all recommended updates / patches applied.

If this server is running in VMware Workstation, feel free to snapshot the VM at this point so that you have a clean build of Windows Server 2003, that can then be sysprep’ed and used to deploy multiple other servers.

Continue reading Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 2

Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 1

So I guess earlier this year someone was going through my post for setting up a development environment and called it useless because the post didn’t discuss setting up an Windows Server AD (Active Directory) Domain Controller.  They called the post useless, but I figured there are a ton of posts out there for setting up DC’s (Domain Controllers).  Oh well, since they complained and I haven’t posted anything in a while, I decided to write a tutorial on setting up AD for development purposes.  I suppose that you can also use this post to set up a production system, but I’m not going into AD Policies and such in this post.

For this tutorial, I’m going to be using VMware Workstation 6.5.2 build 156735, and by the end of the tutorial, you should have a step-by-step roadmap to setting up a DC for development.  I’ll be installing Windows Server 2003 R2, not 2008, but the steps for a Windows Server 2008 DC are very similar and if someone requests it, I’ll post pics of the Windows Server 2008 steps.

Continue reading Building an Active Directory Domain Controller for Development using VMware Workstation – Pt. 1

Run MOSS Against Multiple Active Directories

One of the great new features that MOSS introduced, was an easy way to have the same information shared between multiple portals/sites.  By extending your web applications, you can have separate authentication providers utilized to reach the same information using Forms Based Authentication (FBA).  FBA is usually associated with a custom SQL server database, or some other authentication mechanism, however you can use it to provide AD services as well.

Since implementing FBA in MOSS is pretty well documented already, I won’t go down that route, but just tell you what needs to be changed for it to work with Active Directory (AD).  If you need an article that talks about FBA specifically, try this one:
http://www.devcow.com/blogs/jdattis/archive/2007/02/23/Office-SharePoint-Server-2007-Forms-Based-Authentication-FBA-Walkthrough-Part-1.aspx.  This article assumes you have implemented FBA already or know how to, and just need the specifics for the ADMembershipProvider.

This article also assumes that you have extended a web application to use FBA.  Though there is nothing preventing you from using this on a primary web application and not using an extended web application, I use the term ‘extended web application’ to mean the web application that you want to set up for FBA.

In the extended web application’s web.config file, change the connectionString element to:

<connectionStrings>
<add name=”ADConnectionString” connectionString=LDAP://[ldapquery]/>
</connectionStrings>

I placed this node between </configSections> and <SharePoint>.

The next change is to the membership node and should read:

<membership defaultProvider=”ADMembershipProvider”>
<providers>
<add
name=”ADMembershipProvider”
type=”System.Web.Security.ActiveDirectoryMembershipProvider,
System.Web,Version=2.0.0.0,
Culture=neutral,PublicKeyToken=b03f5f7f11d50a3a”
connectionStringName=”ADConnectionString”
connectionUsername=”[accountName]
connectionPassword=”[password]
enableSearchMethods=”true”
attributeMapUsername=”sAMAccountName” />
</providers>
</membership>

This node, I placed between <sessionState … /> and </system.web>.  Please make sure that the ‘type’ line is properly formatted XML as this post may not display properly.  Put type=”…” all on one line.

Make sure to replace [ldapquery], [accountName], and [password] with the information specific to your AD.  You can even change sAMAccountName as the attributeMapUsername to another field in your AD if that is appropriate.  Your domain administrators will be able to help you with the LDAP query if you aren’t familiar with the technology or the domain’s structure.

You’ll also need to change the nodes in the Central Administration web.config and change the authentication provider at Central Administration > Application Management > Authentication Providers (all of which you should have touched with doing a typical FBA configuration).

Infrastructure Requirements:

  • the account used above should have ‘read’ permissions on the directory (a standard user account will usually work.)
  • the appropriate firewall ports will need to be open if traveling outside of the local network – port 389 by default.

Again, this article assumes that you know what you’re doing with MOSS and FBA and just need the specifics for the AD integration.  I had a hard time finding that information at the time, so I decided to post it here.  If you have any questions, post them into comments and I’ll get them answered ASAP.