This document (10093111) is provided subject to the disclaimer at the end of this document.
goal
GroupWise SSL LDAP Authentication to Active Directory using Microsoft's Certificate Authority
fact
Novell GroupWise 6.5
Novell GroupWise 6.5 Support Pack 1
Novell GroupWise 32 bit Client
Microsoft Windows 2000 Server
Microsoft Certificate Authority
symptom
204 LDAP Error: 65535
204 LDAP Error: Unknown error
204 Error: LDAP failure detected [D06B] User:User1
Error 65535 Cause/Make sure your Post Office Properties | Security | SSL Key File is ...
cause
POA and Active Directory are not setup correctly for SSL Encryption of LDAP Authentication using Microsoft Certificate Authority
fix
Setting up SSL LDAP authentication using Microsoft's Certificate Authority requires
a) generation of an SSL Key file
b) configuration of GroupWise for LDAP Servers and
c) Post Office configuration
Note: The Active Directory environment, not the Novell environment must provide the LDAP and SSL services for this to work correctly
Generating the SSL Key File:
1. In a WEB browser, Go to the Windows 2000 AD Domain Controller certificate authority server: http://caname/certsrv (replace the caname with the netbios name of the CA server)
2. Select the option "Retrieve the CA certificate or certificate revocation list"
3. Make sure that the DER Encoded option is selected
4. Select the option "Download CA certificate"
5. Save the Certificate with .cer extension. (eg. GWCERT.CER)
- This is the Trusted Root Certificate
- Use an 8.3 naming convention for the poa to be able to use this certificate
6. Copy this file to the GroupWise Windows 2000 member or NetWare POA server
- place the file in the same directory as the wphost directory (eg. \\MYSERVER\MAILVOL\POSTOFFICE\GWCERT.CER)
Configure GroupWise for LDAP Servers:
1. In Console One select the Tools menu | GroupWise System Operations | LDAP Servers...
2. Click Add to add a new LDAP Server
3. Enter a Name for the server
4. Enter a Description for the server (optional)
5. Check Use SSL
6. Enter the complete path to the SSL Key File
- if the browse button is used to locate the Key File modifications to the path may be required as noted below
- The path for a NetWare POA server uses a UNC path (eg. \\MYSERVER\MAILVOL\POSTOFFICE\GWCERT.CER)
- The path for a Windows 2000 POA server requires you specify the drive letter for the path (eg. C:\POSTOFFICE\GWCERT.CER)
7. Click the Edit button at the end of the LDAP Server Address field and enter the Address information
- Use either the IP or DNS address for the server
- default port is 636 for SSL encryption
8. Click Ok when the Address information is complete
9. Leave User Authentication Method as Bind
10. Click the Select Post Offices button and add the Post Office being configured to the Selected Post Offices list on the left clicking Close when conmpleted
11. Click the OK button to complete the LDAP Server setup
12. Click the Close button to complete the Configure LDAP Servers
Post Office SSL LDAP configuration:
1. In Console One Select Properties of the Post Office object
2. On the GroupWise tab select the drop down and select the Security tab
3. Set Security Level to High
5. In High Security Options check LDAP Authentication
6. Enter a LDAP Username and Password
- this is optional but strongly recommended
- using this will increase performance where the LDAP server is on a different server than the POA
- this is a proxy user that should be setup for GroupWise use only
- if this is used, each user will need to have the LDAP Authentication configured
7. Click OK to complete the Post Office LDAP configuration
Unload and restart the POA and MTA when all of the above configuration has been completed.
Configuring Each User for LDAP Authentication
The following steps are needed only if the LDAP Username and Password are not configured on the Post Office (step 6 of Post Office SSL LDAP configuration above)
1. In ConsoleOne select properties for the User object
2. Select the GroupWise tab
3. In the LDAP authentication field, specify the Active Directory login name i.e. user@adserver.com
4. Click the OK button to complete the User LDAP Authentication configuration
NOTE: The only way to import these fields on a grand scale is via DirXML. GWPORT32.exe does not work as this field is not available.
Thus if 100's of users need to be updated, their addresses will either have to be imported manually or via DirXML driver.
.
note
Testing that configuration is working correctly:
1. Setup a user in Active Directory using AD Users and Computers
2. Setup a password for the user you will use to login to GroupWise with
3. Setup the POA in Verbose Mode and monitor the log screen when you login with the GroupWise client
- A successful login will be displayed on the you should see the client successfully login to the Active Directory CA server using SSL
4. Launch GroupWise client and point to IP or nameserver address of POA server
5. Enter the username and password you setup in steps 1 and 2
The following describes the environment used to test and validate this configuration
- GroupWise 6.5.1 POA on Windows 2000 member server part of the Active Directory domain (no eDirectory installed on this server)
- GroupWise 6.5.1 32 bit Client
- Separate Windows 2000 server or NetWare server with eDirectory 8.7.x and latest ConsoleOne and GroupWise snapins
- Active Directory Domain Controller running Windows 2000 server as the Certificate Authority in either Standalone Root or Enterprise CA Mode
A second option for authenticating GroupWise over LDAP to Active directory is to encrypt the packets using the IPsec security options in Windows 2000.
document
| Document Title: | GroupWise SSL LDAP Authentication to Active Directory using Microsoft's Certificate Authority |
| Document ID: | 10093111 |
| Solution ID: | NOVL97208 |
| Creation Date: | 01Jun2004 |
| Modified Date: | 27Feb2006 |
| Novell Product Class: | GroupWise Client/Admin |
disclaimer
The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.