0

I'm following what should be simple instructions to enable LDAP SSL on our domain controller (instructions here). Duplicating the Kerberos certificate is successful however, when attempting to select "Certificate Template to Issue", the created certificate does not appear. What gives? A long time ago, I actually completed this step on a now decommissioned DC with no problem.

Our environment is Windows Server 2008 Standard, and we have two domain controllers. Only one has the role of certificate authority. I look forward to any help here, thank you ahead of time.

Sean
  • 313
  • 2
  • 8
  • 19

1 Answers1

1

You need to either use Windows 2008 Enterprise (which is allowed to issue v2 and v3 templates, such as the duplicate of the Kerberos template that you created), or upgrade to Windows 2008 R2 Standard from 2008 Standard (which gets rid of this pointless restriction on template versions for the Standard edition).

Shane Madden
  • 114,520
  • 13
  • 181
  • 251
  • Is there a way to enable LDAP SSL on our servers without R2 or Enterprise? Our servers are x86 and it seems R2 requires a 64 bit processor. – Sean Nov 03 '12 at 19:45
  • How's your certificate authority set up? There's nothing preventing you from giving the system a cert from a template that can do LDAP/S and that your 2008 Standard system is allowed to use, such as the Domain Controller, Server Authentication, or Web Server templates. Also, you really should accept answers to your older questions if they've solved your issues. – Shane Madden Nov 03 '12 at 19:52
  • Our CA is set-up on our DC as an Enterprise (opposed to standalone for no particular reason). When attempting to issue a certificate, none of the certs that you mention appear. Even if I first duplicate one of the mentioned certificates, such as Domain controller; i'm assuming due to the Sever 2008 Standard limitation. Am to complete a different process based on your scenario? I honestly appreciate your help. Also, thanks for pointing that out regarding my answers. I honestly did not know how to accept the answers until just now. – Sean Nov 03 '12 at 21:47
  • @Sean In the Certificate Authority MMC snap-in, do you have the "Certificate Templates" container in the list on the left? – Shane Madden Nov 03 '12 at 22:00
  • Yes I do, and here is a screenshot along with the "Certificate Template to issue" dialog displayed: http://i.imgur.com/jES61.png – Sean Nov 03 '12 at 22:14
  • @Sean Aha! The templates that we want are already in the authorized list of templates on the server. So let's do this - run `mmc.exe`, File -> Add Snap-in. Add "Certificates", then in the dialog that comes up "Computer Account" and "Local Computer". Hit OK on the "Add Snap-in" dialog, then expand "Certificates (Local Computer)" and select "Personal". There might already be an applicable certificate in there - check what's present. If there isn't, right-click "Personal", then All Tasks -> Request New Certificate. The CA can issue the right cert so it should allow, but let me know what happens. – Shane Madden Nov 03 '12 at 22:23
  • That was it! All seems to be working just fine after testing with the ldap app. Thank you so much! – Sean Nov 04 '12 at 01:26
  • @Sean Nice, glad to hear it! – Shane Madden Nov 04 '12 at 01:32