I have installe an ISE 1.2.0.899. It is used for Guest Services only, the customer require all its employees be able to access the sponsor portal and validated their credentials using LDAPS. Not LDAP, not AD feature in ISE. The problem is because in order to enable LDAPS I must upload to ISE the root CA certificate, the customer is not providing the root CA certificate for security reasons (?); they said the certificate chain should be enough. Even the ISE user guide indicates root CA or certificate chain. So, the customer downloaded the certificate chain from its PKI (Microsoft 2008) and give it to me, but it is in .p7b (PKCS#7) format (they said there is no choice to select another format). This format is not supported by ISE, so I needed to use third party tools to convert the file (www.sslshopper.com and openssl). It appears the convertion is successfull but when I try to upload on ISE Certificate Store always I get the same errror: "Unable to read certificate file - please be sure file is in PEM or DER format".
So the questions are:
1. Is the file provided by the PKI in p7b format always?
2. What should be the most proper way to convert the file to something the ISE can understand?
3. Should be the root CA certificate a vey best option?
Even the conversion problems indicated above, I tried to open and convert the file using the mmc. I know the certificate chain has three files, I recovered them and uploaded to ISE. Whit two of these three files selected on LDAPS security configuration I can run the "Test bind to Server" successfully but everytime an user try with its own credentials always the access is denied with "invalid username or password" error.
Locking in the ISE log I found this messages:
ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): error message = SSL alert: code=0x230=560 ; source=local ; type=fatal ; message="Unknown CA - error unable to get issuer certificate locally",LdapSslConnectionContext.cpp:226
ERROR,0x2b263618c940,LdapConnectionBindingState::onInput(id = 634): bind ended with an error: 117,LdapConnectionStates.cpp:396
631,WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=1, Crypto.SSLConnection.pvClientInfoCB - Alert raised: code=0x230=560, where=0x4008=16392, source=local,SSLConnection.cpp:2765
WARN ,0x2b263618c940,NIL-CONTEXT,Crypto::Result=102, Crypto.SSLConnection.writeData - failed write the data,SSLConnection.cpp:970
ERROR,0x2b263618c940,LdapSslConnectionContext::checkCryptoResult(id = 634): crypto result = 102,LdapSslConnectionContext.cpp:202
ERROR,0x2b263618c940,cntx=0000005789,user=tmxedscalcan,LdapServer::onAcquireConnectionResponse: failed to acquire connection,LdapServer.cpp:461
ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::openCdcConnection] Can't open CDC session due to error 32: ADClient is not running,ActiveDirectoryClient.cpp:1328
ERROR,0x2b263436e940,NIL-CONTEXT,[ActiveDirectoryClient::connectClient] AD CDC client connection failed!,ActiveDirectoryClient.cpp:117
ERROR,0x2b263436e940,NIL-CONTEXT,ActiveDirectoryIDStore::performConnection - Connecting client failed,ActiveDirectoryIDStore.cpp:608
I don't have idea what do they mean.
Someone told me the convertion made with mmc on my pc was an error and I need to repeat the same process using administrative tools on a server
I'm really confused and I don't know how continue with a troubleshoot process.
How can I know the original file is correct?
How can I know the conversion is correct?
As the original chain includes three certificates, I should upload them to ISE separately or as one file?
Attached is the Sponsor policy screenshoot. I have two rules with the same conditions one por AD (just for test), one for LDAPS.
I will appreciate your help
Regards.
Daniel Escalante
