AJS 4.x Manual

Note! This Manual is for the "Windows authentication" version, which is designed to work with existing Windows server or Active Directory accounts and Windows authentication. If you want to create accounts by yourself and store their credentials in your own HTTP Commander XML database, you need to download the "Forms authentication" version! This Manual is for the Windows authentication version only!

Web file manager Free Installation assistance Manual Home page

Novell eDirectory integration

HTTP Commander may use Novell eDirectory directory service for authentication. In Novell eDirectory mode, you use eDirectory users to log into HTTP Commander. You may use group membership to assign folders. HTTP Commander does not impersonate eDirectory users, all requests are processed in the context of application pool account, as it normally works in Form-based web applications.

Limitation HTTP Commander uses isolated user name to identify users. It does not distinguish users having the same name but residing in different containers in directory tree. For example, users with the following distinguished names are identical for application: cn=user1,O=ELEMIT and cn=user1,ou=OU1,O=ELEMIT.

Configuring HTTP Commander for Novell eDirectory mode

• Set Main/Version="st".
• Set NovellEDirectory/EDirectory="true".

• Set NovellEDirectory/EDirectoryBindUserDN parameter to a distinguished name of the user that will be used to read information from eDirectory.

  Note EDirectoryBindUserDN must be an LDAP Distinguished Name, like cn=user1,O=ELEMIT (in Novell documentation it's called a typeful name), typeless DN, like user1.ELEMIT will not work here.

• Set NovellEDirectory/EDirectoryBindUserPassword parameter to password of the user you've specified in EDirectoryBindUserDN parameter.
• Set ActiveDirectory/LDAPContainer parameter to ldap path of the eDirectory server. It should have a value like "LDAP://{server-name}". Here "server-name" in the name of the eDirectory server. It may be DNS name, IP address, NetBIOS name. See more details below.

Ldap path

Ldap path structure: LDAP://<server>/<context>.

Examples: "LDAP://10.10.10.141", "LDAP://10.10.10.141:636", "LDAP://dep.server.com/ou=cinci,o=KPOrg".

Ldap path must start with "LDAP://". Any other variants are invalid. For example, "ldap://", "ldaps://" are invalid. Do not append slash to Ldap path. "LDAP://10.10.10.141/" - is a invalid Ldap path.

By default, HTTP Commander use SSL/TLS protocol to connect to eDirectory. There is no option to change this now, that is you cannot disable SSL. The default port is 636, so you may omit the port number. For example, LDAPContainer may be "LDAP://10.10.10.141" or "LDAP://10.10.10.141:636". Since SSL is used, the server certificate must be valid from the Windows point of view.

That means

1. the current date in the range of the certificate valid interval
2. the certificate issuer is trusted
3. server part of Ldap part matches subject name of the certificate

If server certificate is invalid for whatever reason, HTTP Commander refuses to establish connection to the server.

If your server certificate is self-signed, the certificate issuer is not trusted. You need to import the certificate into "Trusted Root Certification Authorities" sub-store of the "local machine" certificate store, on the machine where HTTP Commander is running.

Ldap path may end with server name, like "LDAP://{ip-address}". You may specify a particular container in eDirectory, for example, ou=cinci,o=KPOrg, to restrict search scope. Append DN of the container after server name, like "LDAP://{DNS or IP or NetBIOS}/ou=cinci,o=KPOrg". We suggest to use an LDAP browser to find the exact spelling of the context part. In eDirectory the top level object normally has type Organization, hence naming context includes "o=".

testEDirectory project

Assigning correct value to LDAPContainer parameter may be tricky. To help with troubleshooting eDirectory binding issues, we developed a small project named testEDirectory. You do not need to have Visual Studio 2008 to use it, but Visual Studio simplifies troubleshooting a little bit.

Unpack testEDirectory on the Web server and convert it to application with IIS manager. For example, you may unpack the project into c:\inetpub\wwwroot\testEDirectory. Then open IIS manager, find the testEDirectory folder under Default Web Site node, right-click the folder and select "Convert to application". Enable anonymous authentication for the application. Other authentication types will do to, the anonymous authentication is better simply because it does not require for you to under credentials - simplifying troubleshooting.

Open testEDirectory\App_Code\EDirectory.cs in a text editor. You need to assign three variables in this file, namely LDAPContainer, EDirectoryBindUserDN, EDirectoryBindUserPassword. They have the same meaning as in HTTP Commander.

Open the web application page in web browser, for example, you may open URL: http://localhost/testEDirectory/

If connection to eDirectory server succeeds, you'll see a list of user DNs on the page. Otherwise you'll get an exception.

Unfortunately, the exception normally is too general, it does not explain what exactly went wrong. You normally get "COMException (0x8007203a): Server not operational." error. The only conclusion we can draw from this error is that the bind operation failed.

Step 1. SSL-less bind

To simplify troubleshooting process, let's get rid of SSL for a while. We start with a simple clear text bind to eDirectory. In this case user password will be sent unencrypted over network. That is OK for testing purpose, but should not be used in enterprise environment. Once simple bind to eDirectory succeeds, we may proceed to troubleshoot SSL bind.

Follow the instructions below to test simple bind to eDirectory.

1. Configure eDirectory to accept clear text passwords. (The steps below are for Novell ConsoleOne)
   • find 'LDAP Group' object, open it property
   • on the 'Other' tab set 'LDAP Allow Clear Text Password' attribute to 'true'
   • restart LDAP service for changes to take effect

2. Changes in testEDirectory project

   In the testEDirectory project, in EDirectory.cs file change the last parameter of the DirectoryEntry constructor: AuthenticationTypes.SecureSocketsLayer -> AuthenticationTypes.None.

   • AuthenticationTypes.SecureSocketsLayer - SSL binding
   • AuthenticationTypes.None - simple binding

   You do not need to change anything else in the project. Updating the last parameter of the DirectoryEntry constructor is the only change required to switch between SSL and simple bind.

   Now try to open the the Default.aspx page. If you see a list of users, then the problem is related to SSL. Otherwise inspect the LDAPContainer, EDirectoryBindUserDN, EDirectoryBindUserPassword parameters.

   Note We suggest to start testing without naming context, like LDAPContainer="LDAP://10.10.10.141", then append context like "LDAP://10.10.10.141/o=cspo,ou=usa_sti".

   More on SSL In my test environment the certificate is bound to machine NetBIOS name. I may connect to the eDirectory server only when LDAPContainer is set to 'LDAP://{NetBIOS name}'. If LDAPContainer is set to 'LDAP://{ip address}', connection fails with 'The Server is not operational' error.

Step 2. SSL bind

As soon as simple bind succeeds, you may proceed with SSL bind.

Restore the original setting in EDirectory.cs (you changed it when you test simple bind in the previous step). In the testEDirectory project, in EDirectory.cs file change the last parameter of the DirectoryEntry constructor: AuthenticationTypes.None -> AuthenticationTypes.SecureSocketsLayer.

Note The steps bellow are for Novell ConsoleOne

What certificate is used by eDirectory

• find 'LDAP Server' object
• open Properties, 'Other' tab
• find 'LDAP:keyMaterialName' attribute. It contains the name of the effective certificate object. The name of the Certificate object in eDirectory that is associated with this LDAP server and will be used for SSL LDAP connections.
• remember this name. You'll need to find the certificate object in eDirectory later.

Verify certificate

• find the certificate object that is used by LDAP server
• open it properties, Certificates tab
• in the tab title menu select 'Trusted Root Certificate' or 'Public Key Certificate'. You need verify both certificates.
• Click 'Validate' button
• make sure that certificate status is 'valid'

Certificate subject name

Certificate subject name must match the server name part of Ldap path you use to connect to eDirectory (that may be DNS, NetBIOS name or IP address).

Where to find the certificate subject name

• find the certificate object that is used by LDAP server
• open it properties, Certificates tab
• in the tab title menu select 'Public Key Certificate'
• see the Subject name field

In my case subject name is 'O=ELEMIT.CN=kub-win2003ent'¹. Then LDAPContainer must be "LDAP://kub-win2003ent". You may append context to the LDAPContainer like "LDAP://kub-win2003ent/o=ELEMIT", but the server part cannot be changed. You cannot replace it with IP address or alternative server name, it must be 'kub-win2003ent'.

Subject name may be based on IP address, like 'O=ELEMIT.CN=10.10.1.200'¹, in this case LDAPContainer must be "LDAP://10.10.1.200/...". A certificate may include a number of alternative subject names. That gives you some freedom of selecting server name in Ldap path. Unfortunately, Novell ConsoleOne does not show alternative subject names, you need to export certificate and use an external tool to inspect this field.

Note 1 Novell ConsoleOne uses dot to separate elements of DN, while naming context in Ldap path uses comma for the same purpose.

Export certificate

• find the certificate object that is used by LDAP server
• open it properties, Certificates tab
• in the tab title menu select 'Trusted Root Certificate' or 'Public Key Certificate'. You need export both certificates. Export root certificate first, then public key certificate.
• click export button
• do not export private key
• select der format
• We got two der files: one for 'Trusted Root Certificate' and one for 'Public Key Certificate'.

Note 'Trusted Root Certificate' is the issuer of the 'Public Key Certificate'. You need to import the 'Trusted Root Certificate' into the HttpCommander machine. 'Public Key Certificate' - this certificate will be used in SSL connection to eDirectory.

Import the certificate to the HTTP Commander machine

You need to import the 'Trusted Root Certificate' certificate to the machine where HTTP Commander (or testEdirectory application) is running.

Note If your certificate is issued by VeriSign, Thawte, or other well-known authority, that already present in the "Trusted Root Certification Authorities" list, you may skip this step.

• copy the .der file for 'Trusted Root Certificate' certificate on the HTTP Commander machine

• open mmc

  On Windows Vista

  • Windows start button, Run, type mmc, click OK

  On Windows 7

  • Windows start button
  • in the "Search programs and files" field type mmc
  • right-click mmc.exe and click "Run as administrator"
• Microsoft Management Console window appears

• main menu->file->Add/Remove Snap-in...

  On Windows Vista

  • "Add/Remove Snap-in" window appears

  • click Add button

    • in the "Add Standalone Snap-in" window select Certificates
    • click Add
      • "Certificates snap-in" window appears
      • select "Computer account"
      • click "next"
      • "Select computer" window appears
      • select "Local computer"
      • click "Finish"
    • in the "Add Standalone Snap-in" windows click "close"
  • in the "Add/Remove Snap-in" window click OK

  On Windows 7

  • "Add or Remove Snap-in" window appear

    • select Certificates in the "Available snap-ins" list
    • click Add button
      • "Certificates snap-in" window appears
      • select "Computer account"
      • click "next"
      • "Select computer" window appears
      • select "Local computer"
      • click "Finish"
  • in the "Add or Remove Snap-in" window click OK

• in the left tree of the console window select

  • Trusted Root Certification Authorities/Certificates

• main menu->Action->All Tasks->Import

  On Windows Vista

  • click "next"
  • select .der file for 'Trusted Root Certificate' certificate
  • click "next"
  • select "Place all certificates in the following store", Certificate store: "Trusted Root Certification Authorities"
  • click "next"
  • click finish

  On Windows 7

  • select .der file for 'Trusted Root Certificate' certificate
  • click "next"
  • select "Place all certificates in the following store", Certificate store: "Trusted Root Certification Authorities"
  • click "next"
  • click finish
• now you should see an item named "Organizational CA" in the certificates list (the item may be named differently in your case)

We just imported the 'Trusted Root Certificate' certificate to 'Trusted Root Certification Authorities' for machine account. Now the machine account 'trusts' to certificates issued by this authorities, it trusts to 'Public Key Certificate' that is used in SSL connection to eDirectory.

Check 'Public Key Certificate' certificate

Note The steps bellow are for HTTP Commander machine

• open Windows Console (cmd.exe) or Windows PowerShell window
• execute the command "certutil -verify -urlfetch cert.file.der" Here cert.file.der is the 'Public Key Certificate'
• inspect command output

I add two examples of the certutil output. One before importing the "Trusted Root Certificate" and one after. Pay attention to the lines with 'dwErrorStatus'. CERT_TRUST_REVOCATION_STATUS_UNKNOWN is not a problem, AFAICS. I successfully connect to eDirectory despite this error. Note the line starting with 'ERROR: '.

For more details on interpreting the output of the command, see Troubleshooting LDAP Over SSL.

certutil output before importing "Trusted Root Certificate"

Issuer:
    O=ELEMIT
    OU=Organizational CA
Subject:
    CN=kub-win2003ent
    O=ELEMIT
Cert Serial Number: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
ChainContext.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
ChainContext.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
SimpleChain.dwErrorStatus = CERT_TRUST_IS_PARTIAL_CHAIN (0x10000)

CertContext[0][0]: dwInfoStatus=2 dwErrorStatus=1000040
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  Element.dwErrorStatus = CERT_TRUST_IS_OFFLINE_REVOCATION (0x1000000)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  da 39 a3 ee 5e 6b 4b 0d 32 55 bf ef 95 60 18 90 af d8 07 09
Full chain:
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
Missing Issuer: O=ELEMIT, OU=Organizational CA
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
A certificate chain could not be built to a trusted root authority. 0x800b010a (-2146762486)
------------------------------------
Incomplete certificate chain
Cannot find certificate:
    O=ELEMIT, OU=Organizational CA

ERROR: Verifying leaf certificate revocation status returned 
The revocation function was unable to check revocation because the revocation 
server was offline. 0x80092013 (-2146885613)
CertUtil: The revocation function was unable to check revocation because the 
revocation server was offline.

CertUtil: -verify command completed successfully.

certutil output after importing "Trusted Root Certificate"

Issuer:
    O=ELEMIT
    OU=Organizational CA
Subject:
    CN=kub-win2003ent
    O=ELEMIT
Cert Serial Number: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4

dwFlags = CA_VERIFY_FLAGS_DUMP_CHAIN (0x40000000)
ChainFlags = CERT_CHAIN_REVOCATION_CHECK_CHAIN_EXCLUDE_ROOT (0x40000000)
HCCE_LOCAL_MACHINE
CERT_CHAIN_POLICY_BASE
-------- CERT_CHAIN_CONTEXT --------
ChainContext.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
ChainContext.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

SimpleChain.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
SimpleChain.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)

CertContext[0][0]: dwInfoStatus=102 dwErrorStatus=40
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  Element.dwErrorStatus = CERT_TRUST_REVOCATION_STATUS_UNKNOWN (0x40)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  --------------------------------

CertContext[0][1]: dwInfoStatus=10a dwErrorStatus=0
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: O=ELEMIT, OU=Organizational CA
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020105c6ef
  65 ef b8 67 12 11 0f c3 9d a9 76 af 6c da 33 68 48 b3 9b d4
  Element.dwInfoStatus = CERT_TRUST_HAS_KEY_MATCH_ISSUER (0x2)
  Element.dwInfoStatus = CERT_TRUST_IS_SELF_SIGNED (0x8)
  Element.dwInfoStatus = CERT_TRUST_HAS_PREFERRED_ISSUER (0x100)
  ----------------  Certificate AIA  ----------------
  No URLs "None" Time: 0
  ----------------  Certificate CDP  ----------------
  No URLs "None" Time: 0
  --------------------------------

Exclude leaf cert:
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
Full chain:
  44 17 50 ad 42 43 d1 63 81 e5 11 7a 7f 81 e6 7b 17 82 da 7c
  Issuer: O=ELEMIT, OU=Organizational CA
  Subject: CN=kub-win2003ent, O=ELEMIT
  Serial: 021c11ffb276e4a8315bf2cc093c1061fea574408adc3971216eba6562e202020c13a4d4
  22 b7 58 1d d2 45 3d 02 f0 48 e5 54 3e cf 70 64 ce 50 20 c6
The revocation function was unable to check revocation for the certificate. 0x80092012 (-2146885614)
------------------------------------
Revocation check skipped -- no revocation information available
Cannot check leaf certificate revocation status
CertUtil: -verify command completed successfully.

How to restart LDAP service

See Refreshing the LDAP Server.

I do the following (I'm not sure this is the right way, but it works for me).

• Open Windows Control Panel, open 'Novell eDirectory Services'
• click Shutdown, then Startup

Note In my case Novell eDirectory is installed on Windows Server 2003.