RE: [ActiveDir] SSL to ADAM with a vanity URL

[Eric Fleischman]

The client wants to get a cert back with a name that matches the resource it connects to. Else, you connected to a resource but got a cert for a non-matching resource, so perhaps there was something like DNS spoofing that tricked you in to going there. This is potentially bad.   Set up each instance to have a cert with a name that matches the vanity URL and put that cert in the ADAM service store. Ensure the cert is marked for server auth. ADAM will pick it up directly this way, not ask SCHANNEL what the right cert is, and you can party on like it’s 1999.   There is a way to do this w/o a matching name, something about putting it in another field (perhaps it was alt subject, I’m not sure). I don’t know, I’m not much of a cert guy. I talked with the cert people once who said this should work and a customer confirmed it.   ~Eric       From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Mr Oteece Sent: Friday, February 10, 2006 9:22 AM To: ActiveDir@mail.activedir.org Subject: [ActiveDir] SSL to ADAM with a vanity URL   Is it possible to setup two ADAM instances and have them both respond to the same "vanity url" over ssl? Both ADAMs are running on the same port. I currently just have a RR DNS record with both entries in it for testing. I have an SSL cert with the new name installed on both systems. Connections without SSL work fine, but SSL binds fail. Is this a supported config? Any ideas why it is not working?