|
ammenell -> ISA in DMZ: can't connect to DC over LDAP (29.May2008 6:55:27 AM)
|
hi @all,
i'm new to Exchange and ISA, while searching for some help i found this site and it was quite helpful for some past issues. now i have another problem but just can't find something similar, so i registered and hopefully you guys can help me. i hope i posted my question in the right topic, otherwise please move it where it belongs to
i want to configure an isa 2006 array to publish owa, rpc over http and activesync
both isa servers of the array (one server is css, the other runs the services) are in a workgroup in a dmz, not member of the actual domain.
my current main problem is the pre-authentication over ldap:
for this, i used two tutorials:
1) http://www.isaserver.org/tutorials/LDAP-Pre-authentication-ISA-2006-Firewalls-Part1.html (obviously part 1-4)
2) a german site: http://www.msisafaq.de/Anleitungen/2006/Firewallrichtlinien/OWALDAP.htm
the difference between both sides: whereas 1) has its priority on LDAP over SSL, and therefor works with certificates, 2) just connects to the GC
i want to realize LDAPS, but for testing i setup a test environment where i first want to configure LDAP, after that working further to establish the LDAPS connection with certificates
lab is setup like the original productive network: root domain, sub domain with exchange server 2007, workgroup with isa server 2006 (single server, no array)
my current main problem is connecting to the LDAP server: i configured the DC of the root domain and the sub domain as LDAP servers and added a user to the root domain, who has ordinary domain user rights. the account is tested and working (logged on to the domain). i also created a user to the sub domain with the same rights and tested the account, too.
but both users won't be accepted when trying to setup a new userset in the firewall policy toolbox/users:
here i setup the userset with a name, the LDAP Server Set i just configured and when asked for a user name and password for accessing the LDAP server, with both users i get the error "the specified user name is not valid"
there is also a different error message available at this point:
for example, with a wrong password it says "access to the LDAP server was denied"
but both users are able to login to their DCs, port 389 is connectable, and i can connect to both DCs using LDP.exe and bind with both user credentials
could anyone help me out, i just can't figure out where my mistake is....
i have another question regarding the certificates necessary for LDAPS connections: is there any possibility to work around the CA issue? requesting the certificate from an external CA or setting up an internal CA is no option here. is there anything like selfssl for creating those certificates? selfssl wouldn't work, since selfssl can't handle the certificate requirements (http://support.microsoft.com/default.aspx?scid=kb;en-us;321051), is that right?
tell me if you need some additional information
regards
|
|
|
|