Tag: LDAP

Categories
Knowledge Support Support exacqVision Server Categories Products

Configuring SSL on an exacqVision Server for Active Directory/LDAP (Linux)

exacqVision 7.2 and higher:

Check the box labeled “Use SSL” on the “ActiveDirectory/LDAP” configuration page, then press “Apply”.

<br>

exacqVision prior to 7.2:

This article contains procedures for configuring SSL on exacqVision servers so that you can make Active Directory operations more secure.

There are many ways to generate, install, and manage certificates in order to use SSL, but this document explains one simple option: exporting the trusted root certificate that already exists in your Active Directory domain and installing it on each exacqVision server.
<br>

Export Trusted Root Certificate for Your Domain

  1. Log in to any Windows workstation that has already been added to your domain. The login account must have at least local admin permissions.
  2. Start the Microsoft Management Console (mmc.exe).
  3. If you haven’t already, add the Certificates snap-in:

    a) On the File menu, click Add/Remove Snap-In.
    b) Select Certificates and click Add.
    c) When prompted, select the option to manage certificates for your user account (instead of the service or computer account).
    d) Click Finish.
    e) Click OK to complete this step.
  4. Expand Certificates – Current User in the left pane.
  5. Expand Trusted Root Certification Authorities.
  6. Select the Certficates folder to display your workstation’s currently installed CA certificates. The Issued To field should contain something similar to mydomain-ROOT-CA, where mydomain is your domain name.
  7. Select that Issued To entry, right-click All Tasks, and select Export.
  8. In the Certificate Export Wizard, select the format choice of Base-64 encoded binary X.509 (.CER). Save it to a local .cer file that you can relocate later. You will then install this same certificate file on every exacqVision Server for which you intend to use SSL.

<br>

Certificate Database Location on exacqVision Server

Whenever exacqVision Server attempts to connect to an Active Directory server, it creates the following files in the installation directory, if necessary:

cert8.db
key3.db
secmod.db
<br>

Import Trusted Root Certificate into Each exacqVision Server

  1. On the exacqVision server, copy your trusted root certificate to the server’s installation directory at /usr/local/exacq/server.
  2. If you have not already verified your exacqVision Server’s LDAP configuration with SSL disabled, do this now. This will create your certificate database files if they do not exist already.
  3. Open a Terminal window and type the following:

    sudo openssl s_client -connect FQDN:636 -ssl3 | sed -ne “/-BEGIN CERTIFICATE-/,/-END CERTIFICATE-/p” > ad.pem && sudo mv ad.pem /usr/local/exacq/server
    where FQDN is the fully qualified domain name of your Domain Controller.
  4. Press Enter twice to create the .pem file and move it to the Servers directory.
  5. Change to the exacqVision server’s directory with

    cd /usr/local/exacq/server
  6. Run the following two commands:

    sudo certutil -d . -A -t “C,C,C” -i MY_CERT_FILE -n adca

    where MY_CERT_FILE represents your trusted root certificate file; and

    sudo certutil -d . -A -t “u,u,u” -i ad.pem -n ad
  7. In a Terminal window, restart your exacqVision server with the following command:

    sudo service edvrserver restart
  8. On your exacqVision server, run exacqVision Client and open the Active Directory/LDAP tab. Select the SSL checkbox (the port should automatically change to 636), and then click Apply. Your exacqVision Server should then reconnect to your Active Directory domain controller.

<br>

Configuring-SSL-on-an-exacqVision-Server-for-Active-Directory-LDAP-Linux.pdf
Categories
Knowledge Support Documentation Support exacqVision Client Products

LDAP Server Signing Requirements

If your domain environment has the GPO “Domain controller: LDAP server signing requirements” enabled, you must connect to Active Directory or LDAP using SSL.

In Windows, follow the steps in Article 2160.

A similar Linux procedure is pending and will be posted here when available.

Categories
Knowledge Support Support exacqVision Client Products

Troubleshooting Active Directory Error Messages

Error: “Client Side Kerberos Authentication Failed”

Cause: The setspn command was not run on all Active Directory Servers, or there is a duplicate SPN.

Solution: On the DC, run the setspn command as directed in the appropriate ExacqVision Active Directory setup guide, or run setspn -X to check for duplicates. If a duplicate is found, remove the SPN attribute from all but one of the accounts.

Error: “User not authenticated in LDAP”

Cause: Windows 2000 or earlier Active Directory Domain Functional Level.

Solution: Upgrade the Functional Level of your Domain to Windows 2003 or higher.
See How to raise Active Directory domain and forest functional levels for details.

Alternate Solution:

  • If you are using ExacqVision 4.8 or newer, you can edit the StreamPI.xml file. Change the value of EnableActiveDirectoryUserDisabling from 1 to 0.
  • If you are using an ExacqVision version earlier than 4.8, contact support@exacq.com to obtain an updated DLL.

Error: The connection to the server always shows “Disconnected” in the ExacqVision Client.

Cause: The Binding DN is incorrect.

Solution: Complete the following procedure:

  1. Download Softerra LDAP Browser. (Be sure to click the tab for Browser, NOT Administrator.)
  2. Install and Run LDAP Browser.
  3. Click File and then New Profile.
  4. Enter a name for your new profile and click Next.
  5. Enter the hostname of your AD server in the Host field (or click the Lookup Servers button if you don’t know the host).
  6. Click Next.
  7. Select Currently Logged On User.
  8. Click Finish.
  9. Highlight the new profile you just created in the left panel.
  10. In the Find What box at the top of the right panel, enter the username used to connect to Active Directory in the ExacqVision software.
  11. Press Enter.
  12. After the search completes, find the correct user account.
  13. Right-click the user account and select Properties.
  14. Copy the string in the top portion of the Properties Panel (it should start with CN=).
  15. Paste this string into the Binding DN section of your ExacqVision Client and click Apply.

Error: “Connected, SPN not found”

While there are other possible causes, it’s common for a ‘Binding DN’ to be an extended string that is easy to mistype. For instance the following Distinguished Name will work, but must be typed exactly: 

CN=exacqSVC,OU=ServiceAccounts,OU=SecurityGroups,OU=Indiana,OU=US,DC=exacqts,DC=local

Any incorrect spacing or punctuation will not allow proper setting of the SPN and you will see the following Server log:

StreamPI Warning LDAP: Bind DN was not found. Unable to create SPN.

You can also try the Username instead. In this instance, the username (UPN) for that account is:

exacqSVC@exacqts.local

<br>

Categories
Knowledge Support Support exacqVision Server Categories Products

Configuring SSL on an exacqVision Server for Active Directory/LDAP (Windows)

exacqVision 7.2 and higher:

Check the box labeled “Use SSL” on the “ActiveDirectory/LDAP” configuration page, then press “Apply”.
<br>

exacqVision prior to 7.2:

This article contains procedures for configuring SSL on exacqVision servers. These steps are necessary if you want Active Directory operations to be made more secure by use of SSL on the exacqVision server.

While there are a number of ways that you can generate, install, and manage certificates in order to use SSL, this document will only describe one of the easiest ways to do so. You can simply export the trusted root certificate that already exists in your Active Directory domain, install it on each of your exacqVision Servers, and thereby enable SSL for successful operations. This article will give you step-by-step instructions on how to do this.

<br>

Export Trusted Root Certificate for Your Domain

  1. Log in to any Windows workstation that has already been added to your domain. You must have at least local admin permissions.
  2. Start the Microsoft Management Console (mmc.exe).
  3. If you haven’t already, add the Certificates snap-in:

    a) On the File menu, click Add/Remove Snap-In.
    b) Select Certificates and click Add.
    c) When prompted, select the option to manage certificates for your user account (instead of the service or computer account).
    d) Click Finish.
    e) Click OK to complete this step.
  4. Expand Certificates – Current User in the left pane.
  5. Expand Trusted Root Certification Authorities.
  6. Select the Certficates folder to display your workstation’s currently installed CA certificates. The Issued To field should contain something similar to mydomain-ROOT-CA, where mydomain is your domain name.
  7. Select that Issued To entry, and then right-click All Tasks and select Export.
  8. In the Certificate Export Wizard, select the format choice of Base-64 encoded binary X.509 (.CER). Save it to a local .cer file that you can relocate later. You will then install this same certificate file on every exacqVision Server for which you intend to use SSL.

<br>

Certificate Database Location on exacqVision Server

Whenever exacqVision Server attempts to connect to an Active Directory server, it creates the following files in the installation directory, if necessary:

  • cert8.db
  • key3.db
  • secmod.db

In the exacqVision Server installation directory on any exacqVision Server, the following command shows all certificates, including all trusted root certificates, that you have made available to that exacqVision Server for connecting to the directory via SSL:

certutil -L -d .
<br>

Import Trusted Root Certificate into Each exacqVision Server

  1. On the actual exacqVision Server, copy your trusted root certificate to the server’s installation directory.
  2. If you have not already verified your exacqVision Server’s LDAP configuration with SSL disabled, do this now. This will create your certificate database files if they do not already.
  3. From within the server’s installation directory, execute the following command as local admin:

certutil -A -n “my domain ca cert” -t “C,C,C” -a -i my_cert_file.cer -d .

where my_cert_file.cer represents your trusted root certificate file, and my domain ca cert represents the name by which you want this certificate to be known in the database.

  1. If you get a certutil error similar to “error converting ascii to binary,” try re-exporting your certificate. You might not have correctly selected the “base-64 encoded” format option as indicated.
  2. If you do not get any error messages, then your trusted root certificate should have been successfully imported into your certificate database. Verify by then executing this command:

certutil -L -d .

  1. If your certificate was successfully imported, you will see something similar to “my domain ca cert” and “C,C,C.
  2. On your exacqVision Server, run exacqVision Client and open the Active Directory/LDAP tab. Select the SSL checkbox (the port should automatically change to 636), and click Apply. Your exacqVision Server should then reconnect to your Active Directory domain controller.

NOTE: The attached article is an older document pertinent to using SSL for communication with an Active Directory or LDAP server.

<br>

Configuring-SSL-on-an-exacqVision-Server-for-Active-Directory-LDAP-Windows-1.pdf