Skip to main content

Hi everyone, hope y’all having a great holiday season so far!

 

We’ve been reading non stop KB0017007 and could not get to work the LDAPs with the rotation of accounts. All of this was detected by a customer that captured the traffic between Password Safe and their AD and saw the credentials when the appliance rotated the passwords.

 

We tried every extention of Certificates (PBX,Cert,etc) and nothing could seem to work, so I come forward asking for some experience from everyone. Best practices say the UVM should not not be added to the AD (due to possbile GPO issues and other), and the customer uses a “*.customer.com” (wildcard) certificate for their whole roster of Servers, dont know how that pans out here.

 

Ports are ok, so far. So, connectivity issues are the least to check for now.

 

What are your experiences when Configuring and Enabling this feature? any tips and tricks or additional information are highly thanked.

 

Kind regards.

After installing wildcard certificate on UVM appliances and changed the domain managed system to use ssl. Are you getting any error when you test the functional account or password rotation or running directory queries?

After installing wildcard certificate on UVM appliances and changed the domain managed system to use ssl. Are you getting any error when you test the functional account or password rotation or running directory queries?

When we install the Certificate, we go to “Directory Credentials” and check the “Use SSL” box. Afterwards, Password Safe ask us to change te password. Since we were on a call with the customer, they changed it (they had their AD Admin) and we pasted the new password for this account, but it did not work and failed. Havent tried with SSL on the Managed System itself since we believed the result would be the same. Are the steps for the Managed System use of SSL the same? We add the certificate, and then check the box and restart the service on “REMEM.conf”?

From UVM appliance, try running below PowerShell commands to check the connectivity between UVM and Domain. 


Test-NetConnection <domain.com> -Port 636

>ADSI]("LDAP://<domain.com>:636")

Replace <domain.com> with your domain fqdn.

Not trying to offend but it sounds like you have some misunderstandings with certificates so I’m going to ask the basic question, are you using a proper lDAPS certificate? you must use the public certificate from your domain controllers. 

If you open the certificate on the general tab you should see this

The private key will be installed on each domain controller in your environment.

The other thing to check is that you have both the root cert and the intermediate cert installed on the appliance.

A wildcard cert is generally not an LDAPS certificate.

Reply


Badge Earners

  • BCIE: Privileged Remote Access
    Bruceyhas earned the badge BCIE: Privileged Remote Access
  • BCIE: Remote Support
    Bruceyhas earned the badge BCIE: Remote Support
  • BCA: Privileged Remote Access
    linehas earned the badge BCA: Privileged Remote Access
  • BCA: Password Safe
    linehas earned the badge BCA: Password Safe
  • BCA: Password Safe
    MedBouhas earned the badge BCA: Password Safe
Show all badges
Terms & ConditionsCookie settings