Introduction
The Symantec Workspace Streaming 6.1 product has been designed to be flexible, scalable, and secure. One of the security options for Symantec Workspace Streaming is to allow the Streamlet Engine to access Domain Controllers that use SSL to communicate with LDAP on the Domain Controller.
A couple of check to see if your Domain Controller might require SSL communication are Domain Security Settings -> Local Policies -> Security Options -> Domain Controller: LDAP server signing requirements.
Additionally you can check to see if HKLM\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity. This is not an exhaustive list, so please check with your Domain Administrator as well.
The Symantec Workspace Streaming product does not use the Windows API’s for LDAP queries. The Java toolset is seen as less secure and therefore requires SSL to become trusted.
When you encounter this scenario, there are some very specific installation and configuration steps that should be followed to insure that the streamlet engine will access the Domain Controller correctly.
Important: If you are trying to use the User Data Source Configuration Wizard, you must select Symantec Workspace Streaming local data source. You cannot select Active Directory or LDAP-Compliant even though that is what we will end up with at the end of this process.
If you would like to work through these steps in a lab environment, there is a very helpful Knowledge Base article available at http://support.microsoft.com/default.aspx/kb/931351
that will explain how add a certificate to your Domain Controller to enable SSL communication.
One item that is not covered in the KB article is that you must go to the Certificate Authority where you submitted the Web based request and approve the pending request.
Before Starting the Symantec Workspace Streaming Installation
If you know that the Domain Controller requires LDAP over SSL you are a step ahead. If you are uncertain whether or not the Controller requires SSL, you should use the LDP.EXE tool available at www.microsoft.com/downloads/details.aspx.
Once you have the LDP.EXE downloaded and extracted, double click on it to start the application. Click on the Connection menu option. You will get a connect screen. Fill in the server name of the Domain Controller, change the port to 636 and select the SSL check box. It should look like the following with the exception of the server name which will be the name of your Domain Controller.
You will then click on the Connection menu option and click on Bind. This is where you put the credentials. This is the name you should be using to set up Symantec Workspace Streaming. The screen should look like the following.
You are now bound to your Domain controller. Click on the View menu option and select Tree View. You will be asked for the BaseDN, which will look something like this.
The left pane of the LDP.EXE will now have the BaseDN, with a plus (+) box. If you click on that box you should get a view of your domain. If you have a screen that looks like the following, you know that you are using SSL to connect to the Domain controller.
Determining the Certificate Required to Upload to the Streaming Server
To determine the certificate that is required for upload to the Streaming Server you will need access to the Domain Controller you are attempting to connect to. Once you are on that server you will need to load the Certificates Add-in to the Microsoft Management Console. Once you click Add you will be prompted for the store you want to access. Pick the Computer Account store.
Open the Personal Folder and then the Certificate folder. This will contain the certificate required for upload to the Steaming Server. If there is more than one certificate in this folder you will need to contact the Domain Administrator to determine the correct certificate.
Now that you have identified the required certificate, right click on it go to All Tasks and Export. This will bring up the Export Wizard. You don’t have the option of exporting the private key and it is not required. Use the default DER encoded binary X.509 (.CER). You now have the certificate you need to import into the Streaming Server. Copy it to a location you can access it from that server.
Configuring Symantec Workspace Streaming – LDAP Settings
After you install Symantec Workspace Streaming you will be presented with the Configure User Datasource Wizard. You must select Symantec Workspace Streaming local data source. You cannot select Active Directory or LDAP-Compliant even though that is what we will end up with at the end of this process. After the configuration is complete, log on to the Streaming Server Console. Navigate to the Streamlet Engine Configuration link. Click on the LDAP button. You will be presented with the following screen (you need to navigate to the bottom of the screen).
Click on the uploaded LDAP server certificate link. You will be prompted to browse to the exported certificate file from the previous step.
Once you have uploaded the certificate, navigate to the Streamlet Engine LDAP configuration screen. You need to click the Use SSL to connect to LDAP server check box. You need to manually set the server. It will be the server name used with the LDP.EXE tool. Be consistent when entering the server name. If you used the FQDN in LDP.EXE use it when configuring SWS. The port will be the same as used in LDP.EXE and it will probably be the default port 636. Use the same username and password that you used with the LDP.EXE tool. Set the Search Base to the BaseDN that you used in the LDP.EXE tool. Make to update the following:
User Search Filter: (&(objectCategory=person)(sAMAccountName=*))
Group Search Filter: (&(objectCategory=group)(sAMAccountName=*)(groupType<=0))
Configuring Symantec Workspace Streaming – Basic Settings
Once you have you certificate in place there is a final configuration change that needs to be made. Go to Configuration -> Streaming Engine and click the Basic button. You will need to change the User Data Source from SQL to LDAP.
Once you have done this, you should either reboot your server or restart the AWE services.
Comments
Manually Adding Certificate
One of the System Engineers in the Symantec Endpoint Virtualization group ran across a time where he needed to install the certficate manually from the command line. If you ever need to use the command line tool to add the certificate to the store, use the following:
Important - You must actually be in the directory with the KeyTool.EXE executable
Change directory to %ProgramFiles%\Altiris\StreamingServer\common\<jdk version>\bin. Run the command:
keytool -import -keystore cacerts -alias SomeAlias -file <serverCertificate.cer>
keytool -import -keystore stscerts -alias STSAlias -file <serverCertificate.cer>
where <jdk version> is the Java version distributed with the product, and <serverCertificate.cer> is the certificate you found earlier in this document.
Hope this helps.
Would you like to reply?
Login or Register to post your comment.