RE: [ActiveDir] One of our DCs is requesting a client cert on SSL/LDAP connections

[joseph.e.kaplan]

Hi Steve,   Thanks for the tip.  I now have an operating theory as to what is going on.    Our client certificates are issued from an internal root CA which does not chain up to a standard public root that is trusted by default.  Thus, to trust our certs, you have to have our root certificate installed in your trusted root certificates.   What appears to be happening is that ALL of our DCs are requesting a client certificate as I get a message in the event log saying “Creating an SSL client credential”.  However, all of the DC’s but the one say in the next message “The remote server has requested SSL client authentication, but no suitable client certificate could be found. An anonymous connection will be attempted. This SSL connection request may succeed or fail, depending on the server's policy settings.”   The issue is that only this one DC has our internal root CA installed in its trusted roots, so it is the only one that trusts our client certificates and will try to go through with the exchange.   My question now is whether I should remove the trusted roots from the one DC in question or modify our DC policy to disallow client certificates altogether (if that is possible).  My instinct tells me that the latter would be better for performance since we don’t really need client certificates in the context of LDAP (we aren’t using them for authentication with our domain controllers), so the extra overhead of the handshake serves no purpose that I know of.   If we decide to disable client certificates, which of the various DC policies is the right one to set?  I want to make sure I don’t accidentally disable Kerberos signing which we still want to support.   Thanks again,   Joe   From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Steve Patrick Sent: Friday, August 27, 2004 12:50 AM To: [EMAIL PROTECTED] Subject: Re: [ActiveDir] One of our DCs is requesting a client cert on SSL/LDAP connections   Can you enable Schannel logs per http://support.microsoft.com/default.aspx?scid=kb;EN-US;260729 and then make the app and system logs available?   -steve This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.