AD LDS service account as local admin to allow SSL connection?
Solution 1
Building off of Ryan Ries's answer, here is how I solved the issue without making "domain\adldssrvc" an admin account:
Give service account permissions to Local Computer certificates
Open the certificate store by running mmc and adding the Certificate snap-in for the local computer.
Right-click the certificate in Certificates (Local Computer)\Personal\Certificates\ and select All Tasks\Manage Private Keys.
This pulls up a normal-looking permissions screen. Just add the appropriate user and give it full control of these private keys.
Remember to reset the LDS service after making this change! (services.msc)
Solution 2
This sounds to me like a case of the AD LDS service not being able to access the certificate it needs to set up LDAPS, when you set AD LDS to use a service account that does not have permissions to use the Local Machine\Personal certificate store.
From a Microsoft KB:
For AD LDS, put certificates into the Personal certificate store for the service that corresponds to the AD LDS instance instead of for the NTDS service.
So use MMC and add the certificates snap-in. Choose "Service Account" as the certificate store to view and choose the AD LDS service installed on that computer. Your SSL certificate needs to be installed there.
Related videos on Youtube
27 : 39
07 : 32
![Securing LDAP over SSL Safely [Windows Server 2019]](https://i.ytimg.com/vi/8rlk2xDkgLw/hq720.jpg?sqp=-oaymwEcCNAFEJQDSFXyq4qpAw4IARUAAIhCGAFwAcABBg==&rs=AOn4CLDN38Qnl-oNw6L_iYN_yt2XoZds_g)
33 : 34
03 : 53
13 : 43
user6118986
Updated on September 18, 2022Comments
-
user6118986 almost 2 years
Have frame data in the form of a byte[][] object, where each row corresponds to a (R,G,B) channel and is of length (frame width*frame height). I wish to convert it to a byte[] format in a similar vein as follows:
byte[][] original_frame; byte[] converted_frame = convert(original_frame); ByteArrayInputStream bis = new ByteArrayInputStream(frame); BufferedImage bImage2 = ImageIO.read(bis);From what I can tell, ImageIO assumes a jpeg format. Do I need to convert every frame to a JPEG image, or is there a more natural way to do this?
-
Harris Mirza over 4 yearsImageIO is meant to load in files, if you need a BufferedImage from a byte array, you can create a WritableRaster and then convert that to a BufferedImage
-
-
bgStack15 about 10 yearsThanks for the quick reply! I've never been in this MMC snapin before, and I never generated or installed any certificates at all, so what certificate do I use? I exported the one (built-in?) from "Local computer\Personal\Certificates\" and imported it to "ADAM_lds01\Personal\Certificates" and restarted the service, but that didn't enable 636. -
Robert Deml almost 4 yearsThis worked for me, but I had to substitute "NETWORK SERVICE" for the ADLDS Service. In netstat, I found that the AD LDS Service was being run with the name dsamain.exe. Then in Task Manager I found that dsamain.exe was run as the NETWORK SERVICE User name.
