Enterprise Edition 5 domain-wide SSL cert

Similar Messages

• Error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication" on SQL Server 2008 R2 Enterprise Edition 64-bit SP2 clustered instance

  Hi there,
  I have a Windows 2008 R2 Enterprise x64 SP2 cluster which has 2 SQL Server 2008 R2 Enterprise Edition x64 SP2
  instances.
  A domain account "Domain\Login" is administrator on both physcial nodes and "sysadmin" on both SQL Server instances.
  Currently both instances are running on same node.
  While logging on to SQL Server instance 2 thru "Domain\Login" using "IP2,port2", I get error 18452 "Login failed. The login is from an untrusted domain and cannot be used with Windows authentication". This happened in the past
  as well but issue resolved post insatllation of SQL Server 2008R2 SP2. This has re-occurred now. But it connects using 'SQLVirtual2\Instance2' without issue.
  Same login with same rights is able to access Instance 1 on both 'SQLVirtual1\Instance1' and "IP1,port1" without any issue.
  Please help resolve the issue.
  Thanks,
  AY

  Hello,
  I Confirm that I encountred the same problem when the first domain controller was dow !!
  During a restarting of the first domain controller, i tried to failover my SQL Server instance to a second node, after that I will be able to authenticate SQL Server Login but Windows Login returns Error 18452 !
  When the firts DC restart finishied restarting every thing was Ok !
  The Question here : Why the cluster instance does'nt used the second DC ???
  Best Regards     
  J.K

• Use Wildcard SSL Cert to Monitor Non-Domain COmputers

  Hello,
    I was wondering if a Wildcard SSL Cert from GoDaddy or another Provider can be used to monitor Non-Domain Computer on SCOM 2012R2?
  TIA,
  Jim

  Hi,
  The Operations Manager agents support two types of authentication method, Kerberos or certificate based authentication. In order to monitor servers and clients located outside the Operations Manager’s native Active Directory domain, you will need to configure
  certificate authentication using either an internal Certificate Authority or through a 3rd party Certificate Authority.
  Regards,
  Yan Li
  Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact [email protected]

• ACE: Single SSL Cert for two domains with same VIP

  At present I have a design that will use individual SSL cert per domain and link both certs to (two or one) serverfarm.
  policy-map multi-match popvip_01
  class POP_VIP01
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or popPMT1
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  class POP3_VIP02
  loadbalance vip inservice
  loadbalance policy POP-POp3_PMT or POPPMT2
  loadbalance vip icmp-reply
  ssl-proxy server GINPOP3_SSLPROXY
  connection advanced-options TCP_PARAM_Y
  however,
  if I can get one single certificate to process both pop and pop3 domains, that use the same VIP/port, and if this will work with ACE, i'm inclined to design using this alternative.
  ie,
  pop.mydomain.com = 10.10.10.1 995
  pop3.mydomain.com = 10.10.10.1 995
  Any suggestions would be appriciated.

  Hello,
  In order to achieve this then you will need to order a wildcard certifictae ie
  *.mydomain.com
  These certificates are more expensive and so you will probably find it cheaper to buy two certificates than one wildcard certificate.
  Regards

• Auth via client SSL cert problem

  web server:iPlanet-WebServer-Enterprise/6.0SP2 B11/13/2001 00:49
  Am trying to setup ACL's to allow only certain clients access to web server via client side certificates.
  The LDAP entry does NOT have a "uid" attribute for the user's entry.
  Snooping show me that the LDAP server is returning the correct LDAP entry. Web server says "get_auth_user_ssl: unable to map cert to LDAP entry. Reason: ldap entry is missing the 'uid' attribute value"
  ACL files looks like
  version 3.0;
  acl "default";
  authenticate (user, group) {
  prompt = "foobar";
  method = "ssl";
  allow (read, list, execute,info) user = "*happy*" ;
  allow (write, delete) user = "all";
  Client cert CN looks like
  CN=happy.fmr.com test happy.fmr.com, OU=B2B, OU=Applications, O=FMR Co
  rp., C=US
  Any suggestions on how to allow only a user whose client CN contains a certain word? Also anyway to increse the debug level in the error logs, I know 6.1 can do more but we are limited to using 6.0
  Thanks
  Ashish

  Hi Faisal -- thanks for your reply. We had an offline chat where you said:
  >>>>>>>>
  These are the steps that u can follow
  Configure Weblogic Server for 2-way SSL
  mydomain> Servers> myserver>Keystores & SSL > Advanced Options
  Hostname Verification: None
  Two Way Client Cert Behavior: Client Certs Requested but not enforced
  mydomain> Domain Wide Security Settings> Realms> myrealm> Authentication Providers> DefaultIdentityAsserter
  Trusted Client Principals: provide CN of the Client Certificate
  Types: X509
  Details:
  Use Default User Name Mapper: Checked
  Default User Name Mapper Attribute Type: CN
  Base64Decoding Required: Checked
  Go the security realm and create a user wih the username as CN of the certificate
  Dont forget to Import the client cert's root CA in the trust store of WLS.
  If you still face issues, enable SSL Debug, securityATN debug and mail me the log file.
  <<<<<<
  I think there are a few minor config differences and I may have a different version of WLS to you -- the DefaultIdentityAsserter did not contain some of the fields you refer to. Instead I have an LDAPX509IdentityAsserter at the top of the Providers list, and I have made the changes there. My Providers list is:
  - LDAPX509IdentityAsserter
  - ActiveDirectory
  - DefaultAuthentictor
  - DefaultIdentityAsserter
  I suspect you might be thinking I don't have two-way SSL working at all, but I do, and that's not my question. I can successfully validate a client based on SSL certificate so all the trust stores etc are correct. My question is what happens when there is no client certificate presented by the client -- I want it to fall through to Basic authentication. The ActiveDirectory provider has a Control Flag="SUFFICIENT" setting and I was expecting the X.509 one to have a similar flag, but it doesn't. What controls whether the X.509 provider is REQUIRED/REQUISITE/SUFFICIENT/OPTIONAL in the chain, like the Active Directory one?
  Thanks for your time.
  -- Ben.

• Webserver refuses to take SSL cert

  My SSL cert is installed on my server and when I go to Settings pane in Server.app for the host and edit "SSL Certificate" and choose my cert, the UI will collapse the pane below showing the various services. This is because it applies the cert to all services. When I click OK to accept the setting, it should show my cert right after "SSL Cert:" because should now be applied to all services.
  Instead it shows "Custom". When click th "Edit" button again to see whats going on, it shows that all services are using my cert - except the last one - "Websites (Server Website - SSL)"
  For that, is simply shows "None". Changing it to my cert then clicking OK, has no effect. It just reverts back to "None".
  Apache wont start because there is no cert specified and specifying it manually in ..
  "/Library/Server/Web/Config/apache2/sites/0000_any_443_.conf"
  ..does no good because OS X simply overwrites it from some place.
  So at this point it's impossible to get Apache going on this host. The Server application refuses to accept my cert for the website. I dont get any errors and I dont see any in the logs either pertaining to some failure to apply the setting.
  Any ideas?

  I forgot to mention that when the Certificate Assistant ask for the Issuer in one of its screen, choose the Intermediate CA certificate. Also, the four PEM files is created in /etc/certificates.
  On a fresh Server app install after your get OD Master running or after you have done the web:command=restoreFactorySettings, visit Server app Certificates screen and Custom select the just created Leaf SSL Certificate next to the Web (Default Server - SSL). This will create the default SSL certificate in the Web service window.
  Also, if any one of the three *conf files are missing in the sites folder, Server app will hose the folder by renaming it as sites-unusable-nnnn and recreate a fresh sites folder with fresh copies of the *.conf files. In addition, if you read the comments within the 0000_any_80_.conf and 0000_any_443_.conf files, there are certain apache http directives which are off-limits to administrator as Server app will modify their values. It suggests that you create a .conf files with your amendments (of course, they must be within the Virtual Host context) and use an Include directive or through the use of the WebApps mechanism.
  Furthermore, you must not set a specific IP address for all your virtual hosts but use Any instead. Since I want to use the built-in Wiki service, I have added wiki.domain.com as Additional Domains for both the Default Servers (since the Default Servers refuse to use ServerName). For my case, since I have multiple IP addresses, I have to specifically amend the virtual_host_global.conf file with a static IP address for the Listen 80 and 443 directives, and since Server app will undo the amendment within the sites folder, I have to bring the virtual_host_global.conf file up one level to the apache2/ folder, amend httpd_server_app.conf to load this virtual_host_global.conf file instead...see below the relevant section of my httpd_server_app.conf file:
  <IfDefine WEBSERVICE_ON>
      Include /Library/Server/Web/Config/apache2/sites/0000_*.conf     <--- instead of "*.conf"
  </IfDefine>
  <IfDefine !WEBSERVICE_ON>
  #    Include /Library/Server/Web/Config/apache2/sites/virtual_host_global.conf
      Include /Library/Server/Web/Config/apache2/sites/0000_any_80_.conf
      Include /Library/Server/Web/Config/apache2/sites/0000_any_443_.conf
  </IfDefine>
  Include /Library/Server/Web/Config/apache2/virtual_host_global.conf
  Include /Library/Server/Web/Config/apache2/httpd_server_app_tweaks.conf
  The httpd_server_app_tweaks.conf file is my performance tweaks (e.g. StartServers, MinSpareServers, etc.)
  So Server app can happily modify the virtual_host_global.conf file within the sites folder but my settings remain safe one level up.

• Coldfusion 11 SSL Certs applied - The APR based Apache Tomcat library which allows optimal performance in production environments,

  Coldfusion 11
  Windows Server 2012 R2
  Both the Coldfusion admin and additonal site work fine on HTTP.
  As soon as I attempt to enable SSL websockets and install SSL certs, the Coldfusion 11 Application service will not start. I followed the steps below....
  Coldfusion 11 - Web Sockets via SSL
  The Coldfusion-error.log shows
  Jan 26, 2015 3:21:23 PM org.apache.catalina.core.AprLifecycleListener init
  INFO: The APR based Apache Tomcat Native library which allows optimal performance in production environments was not found on the java.library.path
  Server was a cloned VM of the test server with developer copy of CF11, but license has been purchased and applied. SSL certs have been imported successfully, paths are correct in CF Admin to the cert file etc.
  Do I need to install another version of Coldfusion to get around this issue or is there a download update I need to apply?
  If i reconfig the \cfusion\runtime\conf\server.xml to comment out the SSL sections it works fine.
  Any assistance welcome - I can't allow this site to made publicly available with using SSL.
  SM

  @Scott, first are you running update 3? If so, let’s clarify at the outside that, as that bug report (you point to) does indicate in the notes below it, there is a fix for a problem where this feature broke in that release.  And as it notes, you can email [email protected] to request the fix (referring to that bug), or you can wait for it to be released publicly as part of a larger set of fixes.
  If you are NOT on update 3, or you may apply the fix and find things still don’t work, I would wonder about a few things, from what you’ve described.
  First, you say that the CF service won’t start, and you offer some lines from the ColdFusion-error log. Just to be clear, those particular error messages are common and nothing to worry about. They definitely do NOT reflect any reason CF doesn’t start. But are you confirming that that time (in the log lines) is in fact the time that you had started CF, when it would not start? I’d suspect not.
  Look instead in the coldfusin-out.log. What does THAT log show at the time you try to start CF and it won’t start? You may find something else there. (And since you refer to editing the server.xml file, you may the log complains that because of an error in the XML it can’t “parse” the file. It’s worth checking.
  You say also that you have confirmed that “paths are correct in CF Admin to the cert file”. What path are you referring to? There’s no page in the CF admin that points to the CACERTS file in which the certs are stored. Do you perhaps mean on the “system info” or “settings summary” page? Even so there’s still no line in there which refers to the “cert file”.
  Instead—and this could be a part of your problem—the cert file is simply found WITHIN the directory where CF’s pointed to to find its JVM. Wherever THAT is, is where you need to put any certificates. So take a look at the CF Admin, either in the ”java and jvm” page (and the value of its “Java Virtual Machine Path”), or in the “settings summary” or “system information” pages and their value for “Java Home”. Is that something like \coldfusion11\jre? Or something like \Java\jdk1.7.0_71\jre? Whichever it is, THAT’s where you need to put the certs, within there (in its \lib\security folder).
  Finally, when you say that if you “comment out the SSL sections  it works fine”, do you mean that a) CF comes up and b) some example code calling your socket works, as long as you don’t use SSL?
  To be clear, no, you don’t need any other version of CF11 to get websockets to work. But if you are on update 3, that may be the simple problem. Let us know how it goes for you with this info.
  /charlie

• SSL Cert for 2008 R2 Reporting Services that is installed on a Failover Cluster - server address mismatch?

  I utilized the idea from
  http://www.mssqltips.com/sqlservertip/2778/how-to-add-reporting-services-to-an-existing-sql-server-clustered-instance/ to install 2008 R2 Reporting Services on a new Clustered SQL instance.  In short, create the new Clustered SQL instance on Node1,
  installing Reporting Services with it.  Then on Node2, Add a Failover Cluster Node (without choosing Reporting Services); following that up with starting the SQL setup.exe with a cmd to bypass a check so that I can then install the Reporting Services
  feature on Node2.  It points out using the SQL Cluster Network name for connecting to Reporting Services.
  I verified upon failover that I could still access the Reports and ReportServer URLs.  However, when wanting to add an SSL certificate to the RS configuration, I run into the warning of "mismatched address - the security certificate presented by
  this website was issued for a different website's address", where I can continue and get to the Reports or ReportManager URLs.
  I played with different certs (internal CA created) and SANs and other things, but I still get this error with the cert.  The Reports URL, for example, is <a href="https:///Reports">https://<SQLClusterNetworkName>/Reports, and the
  cert has a CN and Friendly Name of SQLClusterNetworkName (with SAN of DNS: SQLClusterNetworkName.<domain>), but the error still happens.
  What am I missing to eliminate the mismatched address warning when using the SQLClusterNetworkName as the base of the URLs?

  I got it working by using the FQDN as the common name on the SSL cert, with FQDN in RS URLs.

• Domain-wide administration port?

  Hi,
  I tried to start a cluster of 2 servers across 2 physical machines, I got error and server starting failed:
  "Starting Managed Servers in Standby mode requires the domain-wide administration port."
  My topology is as following:
  Domain A is created in machine A and copy to machine B:
  Machine A: admin serverr at port 8001. Managed server at port 8088 of cluster1.
  Machine B: Managed server at port 8088 of the same cluster1.
  What is wrong? Why I cannot start cluster? Why I got error " need domain-wide administration port"? What is "domain-wide administration port"? Why my created domain admin server at Machine A didn't work?
  Your prompt help is highly appreciated. I am waiting for your help.
  Thank you in advance

  Hi,
  First of all the domain-wide administration port enables you to start a WebLogic Server instance in STANDBY state. It also allows you to separate administration traffic from application traffic in your domain.
  so check in ur console whether u have specified the start up mode as STANDBY.if so change it to Running and try restarting the server:-
  You can do that by chking the below link:-
  http://e-docs.bea.com/wls/docs92/ConsoleHelp/taskhelp/startstop/SpecifyAStartupMode.html.
  Domain-wide administration port is used when you have configured ssl for ur servers. Refer http://e-docs.bea.com/wls/docs103/ConsoleHelp/taskhelp/domainconfig/EnableTheDomainwideAdministrationPort.html for more info.

• SSL Certs in 9ias How to install??

  I have 9ias installed on a W2000 server, 8.1.6 oracle enterprise edition. Am trying to generate a csr. As per documentation from Thawte, the key generates fine. When I go to generate the csr it keep defaulting to a "/usr/local/..." directory which doesn't exist. Has anyone installed a Thawte cert into the 9ias and made it work?

  I did not receive the file yet. I'm not sure if there were any specific errors to the apache part (there were numerous install problems which seem to be inherent to Oracle). Is there some way to get the file off of the CD and just copy it in??

• Is there any way to treat expired SSL certs in HTTPS connections as non-secure?

  Is there a way of navigating HTTPS websites as though they were HTTP, without adding any SSL exceptions?
  Obviously an expired/self signed SSL cert over HTTPS is no more dangerous than no encryption at all over HTTP.
  The Untrusted Connection dialog is a usability nusance, particularly for those of us who understand HTTPS.

  Check out:
  http://docs.iplanet.com/docs/manuals/enterprise/60sp1/ag/esecurty.htm#1008113
  You will need to turn on Client Auth as described above. Hope it helps.

• How to validate SSL cert on ASA5510, before changing DNS?

  I have recently installed an SSL certificate from a third party CA (GoDaddy) into an ASA5510 that I will be using as a VPN appliance for AnyConnect clients.
  The ASA is going to replace our VPN server, which currently has the vpn.domain.com FDQN assigned to its IP address in public DNS.  
  Is there a way for me to properly valiadate that the SSL cert will work without any issues (i.e. no invalid error messages popping up on users' AnyConnect clients) from the Internet, before I cut over public DNS to point to the public facing interface on the ASA5510 which is where vpn.company.com will ultimately be pointing to?

  Put vpn.domain.com in your local PC hosts file with the new IP. Then try Anyconnect.

• Changing SSL Cert, how do you update the trust profile for devices.

  I am in the process of changing out the ssl cert for the trust profile (going from a self-signed to a signed cert).  How do you update the trust profile on the devices already paired with the server.

  Yes, the linked smart object can be either raster or vector, but they will be placed as raster images, just as the embedded SO are.  SO can be embedded or linked to an outside file.  Edits to the original will not update in the original until you select "Update modified content from the menu" when you reopen the file that has the place SO in it.  otherwise it will update when you save the linked file.  Yes, there still is an advantage to having an embedded SO.  You may not want to maintain the links - send a file off and forget to include the linked files.  You may want to alter the SO, but not the original file.
  Ah, thanks. But does this mean that raster and vector smart objects can EITHER be located within the Photoshop file (as they have been since their advent) OR linked to an external file?
  And if so,
  1. Can this linked file be either raster or vector?
  2. Do edits to it automatically update the Photoshop file?
  3. Is ther any longer any advantage to having the smart object data stored within the Photoshop file when it can be linked?

• Dreaded "must be configured to use a valid SSL cert" - 2008 R2

  Hello everybody,
  I've been browsing through hundreds of topics on the dreaded "The RD Gateway server must be configured to use
  a valid SSL certificate" error using BPA (Windows Server 2008 R2 Std), but still haven't found a proper solution.
  Here's the issue: RDGW not operating properly and sometime accepting connections, sometimes not. 
  I have an external domain example.com and internally, the domain is example.local. I have one server serving Exchange and RD, this is the server responding to mail.example.com and I have an StartSSL issued cert for mail.example.com, which is properly configured
  on the server (OWA is working properly with autodiscover etc.). SSL bindings seem alright, default site is using the mail.example.com SSL cert.
  If I open the RDGW Manager and go to the SSL Certificate tab, the system looks happy by having the cert installed, everything looks fine. Sometimes I even manage to connect - connection is successful, I can normally connect to any of the servers or computers.
  On a second attempt, I just get the message, that the logon attempt had failed. If I run BPA on the server, I get the error of not having a proper SSL cert. If I select a self-signed cert, then also the BPA goes through, but then I have problems with connections
  since everybody would need this cert to have installed.
  From what I read, my problems are related to the issue that the FQDN of my server is servername.example.local and the cert is issued to mail.example.com. How can I make the thing only to talk via the mail.example.com cert? I don't think I can get a cert
  that'd also contain a SAN of servername.example.local from the CA.
  What can I do?

  Hi Andrej,
  Thanks for posting in Windows Server Forum.
  Here providing you the article for BPA’s configuration logs, where you can check. It also states that certificate are main problem related to this error. Please check certificate which you have bound have FQDN name of gateway server, the certificate is SSL
  certificate and it’s a trusted certificate. Also check that certificate which you have importing to RD gateway must be in local computer/personal store. For more information refer below article.
  1. Using the Remote Desktop Services BPA to analyze a Remote Desktop Gateway
  implementation
  2. RDS: The RD Gateway server must be configured to use a valid SSL certificate
  In addition, you need to specify the FQDN name of RD gateway under
  DefaultTSgateway in IIS setting. Please go through below article for details.
  RD Gateway/Web Access Outside the Firewall
  Hope it helps!
  Thanks,
  Dharmesh

• Install GoDaddy Wildcard SSL cert on GW WebAccess - ver.8

  I have followed all of the documentation regarding generating a CSR, creating the new eDirectory object from which that CSR is generated, then subsequently downloading and doing the "read from file" SSL cert installation, and it won't validate.
  I have a NetWare 6.5, SP8 server running Apache/Tomcat and it's our GroupWise WebAccess server (version 8).
  I want to encrypt the sessions as well as the authentication from the GW WebAccess login screen (right now, it's just http://).
  Our institution purchased a wildcard, unlimited subdomain, SSL certificate from GoDaddy to use for this, and other, SSL cert. needs.
  No matter what I do, it won't work.
  I am using ConsoleOne to create the new eDirectory object according to the documentation, generate the CSR, and install the certificate, but to no avail.
  Can anyone help?

  Originally Posted by AndersG
  Fmcunningham,
  > > I am looking at installing a cert as well. I have NOWS SBE 2.0
  > > upgrading to SBE 2.5 this weekend and would like to add a CA Cert. Do I
  > > need a Wild card cert to be able to accomplish this?
  >
  Only difference between a wildcard and a regular (apart from price) is that
  a wildcard covers all hosts in a domain,. Ie *.acme.com, whereas a regular
  cert only covers a named host, homer.acme.com
  - Anders Gustafsson (Sysop)
  The Aaland Islands (N60 E20)
  Novell has a new enhancement request system,
  or what is now known as the requirement portal.
  If customers would like to give input in the upcoming
  releases of Novell products then they should go to
  http://www.novell.com/rms
  I am running SBE 2.0 upgrading soon to SBE 2.5. I am not using sub domains, so I think I should be fine with just a normal cert. The real reason I want to go with a cert from a CA instead of a self signed is for webaccess.