You are viewing limited content. For full access, please sign in.

Question

Question

Directory Services Requires SSL Certificate - Social BPM Displays Certificate Error

Version 9 Security Discussions Directory Server
Updated October 29, 2014
asked on October 13, 2014

This weekend we had the opportunity to deploy the new Directory Services as well as Social BPM. Since Social BPM appears to currently be the only module requiring authentication through Directory Services, I think it might be the only module affected by this issue.

For this install, we used Server 2012 with IIS 8.

It was very quickly apparent that Directory Services requires an SSL certificate to function. If I am wrong in this regard, please let me know, however the whitepaper and the install wizard both pointed in this direction. I found that the best way to deploy this is to first create a PERSONAL (not Web Host) Self-Signed certificate on IIS and bind it to the Default Website's 443 port. Then, while installing the software it automatically detects the certificate we created and uses it.

We had no serious problems importing our version 8 licensing database. We reissued our various server licenses and were good to go.

On Friday evening I went ahead and installed Social BPM. Social BPM is installed on the same server as our Laserfiche Application server, but is on a different server from Directory Services. The self-signed certificate for Directory Services is installed in the Trusted Root section of the Applicaton server's service-account's certificate manager.

When we navigate to http://servername/SocialBPM we are first presented with a certificate error. I am assuming that the Login section of the page is coming from the License Manager server, while the rest of the page is loading from the actual server name. Because the License Manager server's Self-Signed certificate is not deployed network-wide, we will presumably continue to get this error.

Is it intended that anyone deploying Directory Services at some point deploy a certificate for LFDS to all workstations on the network? If so, what is Laserfiche's best practice for creating and deploying such an internal certificate? Are Self-Signed server certificates the way to go, or is there a Microsoft or Laserfiche white paper describing deployment of some other best practice standard?

0 0

Answer

SELECTED ANSWER
replied on October 29, 2014

Sorry for the late reply.

Yes, you want to deploy the self-signed certificate through group policies to the trusted root certification authorities on the client machines. Note that this will remove the warning about the self-signed certificate in Internet Explorer and Chrome. Firefox keeps its own certificate store.

2 0

Replies

replied on October 13, 2014

We recommend using a real certificate.

1 0
replied on October 14, 2014

I assume you do not mean buy a certificate from Verisign or some other authority just to use inside our network. Is there some kind of Microsoft white paper that describes what you are thinking we should do?

0 0
replied on October 14, 2014

We are creating a group policy that will automatically deploy the Social BPM and LM-01 self-signed server certificates to all users. I believe this is the correct approach, please let me know if there is a better methodology.

0 0
SELECTED ANSWER
replied on October 29, 2014

Sorry for the late reply.

Yes, you want to deploy the self-signed certificate through group policies to the trusted root certification authorities on the client machines. Note that this will remove the warning about the self-signed certificate in Internet Explorer and Chrome. Firefox keeps its own certificate store.

2 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...