Re: SSL over Ldap June 2006 Posting
- From: "Joe Kaplan \(MVP - ADSI\)" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Mon, 19 Jun 2006 23:47:09 -0500
Can you open a socket at all on port 636? Maybe there is a network issue?
Try telnet or portqry or something to test this. Also, sniff the wire
traffic with a network monitor and see what you can see. If you can open a
socket but can't negotiate SSL, then you should get an error in the client's
system event log from Schannel detailing the problem.
The trial cert should be fine. If there was a cert trust error, Schannel
would usually tell you that, especially if you bumped up the Schannel
logging level.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"potpal" <potpal@xxxxxxxxx> wrote in message
news:1150741673.009886.249980@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Hell Joe - I've checked the system event log for errors and even
edited the registry for different levels of schannel logging. Nothing
is appearing in the logs. Using the FQDN and proper DNS name too.
Still getting the same error.
I am however using a trail cert from verisign. The trial CA for the
trial cert is a trusted root CA.
Any other suggestions?? how do you check if CRL checking is in use on a
DC
Joe Kaplan (MVP - ADSI) wrote:
Check for Schannel errors in the system event log. That is often
helpful.
Typically, SSL certs for DCs are issued with the DNS name of the DC, not
the
NetBIOS name, so you should connect using the full DNS name. SSL does
not
like name mismatches, certs it does not trust or expired certs and may
also
puke on revoked certs if CRL checking is in use.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"potpal" <potpal@xxxxxxxxx> wrote in message
news:1150486195.088352.279420@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Been seeing a lot of similar postings but none with the resolution I
was looking for so I'm reposting to re-spark the topic any assistance
is appreciated
Like others I am running Win2003 and have spent several hours trying to
connect to AD on
port 636 using LDP.exe but have not managed to make it work whether
locally
or remotely. A simple connection on port 389 works fine but on 636 I
always
get this from the client when trying to connect with ldp.exe
ld = ldap_sslinit("dcname", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to "dcname"
I have a cert installed on the DC. Am I missing something on the
client end?
.
- Follow-Ups:
- Re: SSL over Ldap June 2006 Posting
- From: potpal
- Re: SSL over Ldap June 2006 Posting
- References:
- SSL over Ldap June 2006 Posting
- From: potpal
- Re: SSL over Ldap June 2006 Posting
- From: Joe Kaplan \(MVP - ADSI\)
- Re: SSL over Ldap June 2006 Posting
- From: potpal
- SSL over Ldap June 2006 Posting
- Prev by Date: Re: Some users unable to log into domain.
- Next by Date: Re: Changing ADAM user password
- Previous by thread: Re: SSL over Ldap June 2006 Posting
- Next by thread: Re: SSL over Ldap June 2006 Posting
- Index(es):
Relevant Pages
|
Loading
