AD SelfService Plus Configuration Notes

Here to download AD SelfService Plus:

https://www.manageengine.com/products/self-service-password/download-free.html

The installation itself is pretty simple. If you are upgrading, download the patch from here:

https://www.manageengine.com/products/self-service-password/service-pack.html

 

1.Ports Needed for Firewall Rules:

Source IP:  Domain Controller

Destination IP: AD Self Service Server IP

Port number:389/636/88/445/25/135/464/137/138/139/1443/1434

 

Source IP:  AD Self Service Server IP

Destination IP: Domain Controller

Port number:389/636/88/445/25/135/464/137/138/139/1443/1434

 

Source IP:  User Machine

Destination IP: AD Self Service Server IP

Port: 9251(for https), 8888(for http)

 

2. Invalid Email-ID When Sending Out Email Expiry Notifications? 

After testing, I found out that when sending a test email to the same domain from exchange, it will succeed, but failed on sending to another domain users. The fix is just to use authentication  on the SMTP server instead of anonymous authentication.

 

3.  How to Setup Web Certificate for AD SelfService from an Internal CA?

3.1 Create a https web certificate for IIS

Here is an excellent guide on how to install:

Manually creating a Certificate Request Windows Server 2012 Essentials (Essentials R2 & SBS 2011)

Once you have that certificate, apply it in your IIS ” Edit Bindings”.

After this step, we finish certificate for https://www.aaa.com:443

3.2 Use IIS Redirect

Point https://www.aaa.com/  to https://www.aaa.com:9251 ( default AD SelfService port)

3.3 Generate a https web certificate for AD SelfService

3.3.1 Generate keystore file

“<installation dir.\jre\bin”

keytool -genkey -alias tomcat -keypass <your key password> -keyalg RSA -validity 1000 -keystore <keystore_name>.keystore

3.3.2 Generate web certificate request file

keytool -certreq -alias tomcat -keyalg RSA -keystore < keystore_name >.keystore -file <csr_name>.csr

3.3.3 Request web certificate from Internal CA

“advanced certificate request” , Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

“Download certificate chain” link to download “PKCS #7 Certificates” types

Copy and paste the certificate file under “<installation dir.\jre\bin” folder

3.3.4 Download CA Certificate

Copy and paste the certificate file under “<installation dir.\jre\bin” folder

3.3.5 Import certificate into”.keystore”file

Keytool –import –trustcacerts –alias tomcat –file certnew.p7b –keystore <keystore_name >.keystore

3.3.6 Trust internal CA

keytool -import -alias <internal CA_name> -keystore ..\lib\security\cacerts -file certnew.cer

3.4 Associate the certificate with ADSelfService Plus:

1. Copy the “.keystore” file from “<installation dir.>\jre\bin” folder to “<installation dir.>\conf” folder.
2. Take a back up copy of “server.xml” file as “server.xml_bak” and edit the file.
3. Replace the value of “keystoreFile” to “./conf/<keystore_name>.keystore” at the last Connector tag
(End of the page).
4. Replace the password for “keystorePass” to “password as given while creating keystore”
5. Save the server.xml file and start ADSelfService Plus.

Leave a Comment