KB13041: How to configure LDAP connectivity using SSL authentication with MicroStrategy Intelligence Server on Windows Operating Systems

Placeholder •

MicroStrategy Intelligence Server 9.x and newer supports connecting to LDAP servers other than Active Directory with SSL authentication using the Microsoft Active Directory SDK. To set up MicroStrategy Intelligence Server 9.x to connect to the directory server, follow the steps provided in this knowledge base article.

Strategy Intelligence Server 9.x and newer supports connecting to LDAP servers other than Active Directory with SSL authentication using the Microsoft Active Directory SDK. To set up Strategy Intelligence Server 9.x to connect to the directory server, follow the steps below:

The user needs to use a local account or a domain account to run Strategy Intelligence Server 9.x and newer. SSL authentication will not work with Strategy Intelligence Server 9.x and newer running as a Local System account because of environment issues associated with accessing the certificate store.
Log into the Server Machine with this account and open Internet Explorer.
Point the browser at https:\\ldapservername:sslportnumber (by default the port number for ssl should be 636)
The user may be prompted with a message, warning that they are about to enter a secure site. Click OK to continue, as shown below:

The user may now also be prompted with a warning that the certificate for the site about to be viewed is not trusted or known. One of the possible warnings is shown below:

Click 'Yes' to continue. The user is now prompted with a security alert shown below. If no prompt is presented, the certificate may have been already installed and the user should skip to step 5 to verify if it is installed correctly.

Click on 'View Certificate' to continue. Information about the certificate will be presented in the dialog box. Make note of the 'Issued To' and 'Issued By' fields. These identify the fully qualified name of the server for which the certificate is issued as well as the name of the Certificate Authority (CA) that signed and issued the certificate, as shown below:

Click on 'Install Certificate' to install the certificate and follow the steps in the images below to import the certificate for the LDAP server into the Internet Explorer certificate store. Click on 'Next' to continue with the import of the certificate, as shown below:

The default selection, 'Automatically select the certificate store based on the type of certificate' should be used, as shown below:

Click on 'Finish' to complete the import of the certificate, as shown below:

Open the Internet Explorer Internet Options dialog box from the Tools menu and navigate to content -> Certificates and find the newly imported certificate, as shown below:

Check to see if the certificate obtained from the LDAP server is a trusted certificate by selecting the certificate and clicking on 'View', as shown below. If not, the user must check whether the certificate is signed by a (known) trusted Certificate Authority. If the server certificate was not signed by a trusted CA, the user must additionally obtain and import the CA certificate. Contact the LDAP administrator for the details of how to obtain the CA certificate.

After installing the CA certificate, the server certificate should appear as shown below:

Go to the Strategy Service Manager and change Strategy Intelligence Server options to run it under the same account the user is currently logged on as and has imported the LDAP server certificate with.
Restart Strategy Intelligence Server. Log in and configure the server for LDAP authentication using Strategy Developer. The user will notice that there is no way to specify the Server Certificate file when the Microsoft Active Directory SDK is used (WLdap32.dll). This is by design; the server knows where the certificate store is located and does not need the user input.
In the LDAP -> General screen, ensure that the host name matches the server name specified for the certificate in the 'Issued To' field. To make an SSL LDAP connection from a Microsoft Windows Server, the full name of the LDAP server is required while configuring Strategy Intelligence Server 9.x and it should match the one specified in the 'Issued To' field in the imported certificate. A short LDAP server name could be used only if the Strategy Intelligence Server 9.x machine can ping the LDAP server and the full LDAP server network name matches the name in the certificate. If these two requirements are not met, the user must do the following:

Add the IP address mapping with the full LDAP server network name into the hosts file in \System32\drivers\etc
Use the full LDAP server network name in the LDAP configuration window

The user can now configure the settings in LDAP ->Configuration and should be able to test and verify that LDAP connectivity works correctly.

Comment

0 comments

Details

Knowledge Article

Published:

May 10, 2017

Last Updated:

August 12, 2024