Refer to Microsoft's web site for the latest updates to this procedure.
[.NET] Using SSL with ADAM
Obtaining a certificate
How to obtain a server certificate on a Windows 2003 Server. If you already have a certificate, import it into your "Personal store" and skip to the second section on Using the certificate with the ADAM service.
To create a certificate you need to install IIS and Certificate Authority. For information on how to install IIS refer to Microsoft. To install a Certificate authority check the "Certificate services" checkbox. (IIS should be installed before or at the same time as you install the certificate services). Once the installation is complete, request a certificate using your browser (address: http://localhost/certsrv):
- Click "Request a certificate"
- Click "Advanced certificate request"
- Click "Create and submit a request to this CA"
- In the "Name"-textbox write the full dns name of the server
- Make sure "Type of certificate" is "Server authentication certificate"
- Select PCKS10 as the format
- Optionally fill in the other information
- In the "Friendly name"-textbox write the full dns name of the server
- Click the submit button.
You have now created a certificate request. To create a certificate we need to process the request:
- Open "Control Panel \ Administrative Tools \ Certification Authority"
- Browse to the "Pending requests"-folder
- Locate the certificate request, right-click and select "All tasks \ issue".
The certificate has now been created and resides in the "Issued certificates"-folder. Next we need to download and install the certificate:
- Open http://localhost/certsrv
- Click "View the status of a pending certificate request"
- Click the certificate request
- Click the certificate to install it
Using the certificate with the ADAM service
To let our ADAM service use the certificate we need to put the certificate in the ADAM service's personal store:
- Select "Run..." from your start menu and type mmc. This will open the management console.
- Click "File \ Add/Remove snap-in"
- Click "Add..." and select "Certificates"
- Select "Service account"
- Select "Local computer"
- Select your ADAM instance service
- Add a new "Certificate" snap-in, but this time select "My user account" instead of "Service account"
- Click "Close" and "Ok"
- Open the "Personal"-folder under the "Certificates - Current user"-tree
- Select the certificate and copy it into the same location under "Certificates - adam instance name"
- Give the ADAM service account read permissions to the key using winhttpcertcfg (best practice) or by browsing to C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys (if these permissions are not set correctly you will get an error in the event log: Schannel ID: 36870 - "A fatal error occurred when attempting to access the SSL server credential private key. The error code returned from the cryptographic module is 0x6.")
- Restart your ADAM instance
Verifying that SSL is working
To verify that SSL is working with ADAM:
- Run the "ADAM Tools Command Prompt" from your ADAM program group
- Type "ldp" and hit enter
- Click "Connection \ Connect..."
- Type the DNS name of your server in the server textbox (localhost will not do here as the dns name is checked against the certificate)
- Enter the SSL port of your ADAM installation (636 or 50001 or whatever you chose during the installation of ADAM)
- Check the SSL checkbox and hit "OK"
If the installation was successful, you should get a lot of text in the right window and be able to bind using the "Connection \ bind..."-functionality.
If you still get the "8009030e No credentials are available in the security package" after the import, or you get an error when importing the keys into the LOCAL_MACHINE\Personal store, check that you/administrators have full access to "C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys". Try importing the certificates directly into both LOCAL_MACHINE\Personal and ADAM\Personal instead of copying them for the Current_user store.