Re: LDAPS
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Thu, 9 Nov 2006 11:11:35 -0600
If there are no schannel errors in the event log but SSL/LDAP is not
working, then that is pretty weird. I've never seen that.
Are you sure the DNS name of the DC matches the DNS name of the certificate
stored in the cert's CN? Still, even if the issue was a name mismatch, that
should show up as an schannel error in the event log, so I'm confused.
Also, what happens if you try this from a different machine other than the
DC?
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"ODG" <ODG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:7FF951D5-C20B-4F7E-9BB0-F3F9C743CC11@xxxxxxxxxxxxxxxx
I'm running ldp.exe on the domain controller itself.
The certificate is installed from a trusted server (Microsoft cert server)
that has a root certificate installed on all clients in AD via group
policy.
The certificate on the domain controller is a "server authentication"
certificate instaled in the local store. THE CRL is in the trusted root
store
(is this incorrect)?
How do i ensure that the CRL is available?
There are no secure channel errors in the event logs.
Sorry for some of the return questions but I'm quite new to certificate
services.
Thanks,
ODG
"Joe Kaplan" wrote:
Look for errors from schannel in the System event log on the client
machine
that cannot connect. It usually tells what the problem is.
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services
Programming"
http://www.directoryprogramming.net
--
"jx" <mc@xxxxxxxxxxx> wrote in message
news:eMBhFA1AHHA.1196@xxxxxxxxxxxxxxxxxxxxxxx
Well, there are couple of thing to look at. First does the client trust
the CA that issued the cert? Meaning that have published the CTL of the
CA
(atleast on the DCs etc)? Secondly, is the CA CRL available for the
clients to access. Third, is the certificate you issued matches the
requirement for LDAPS? Can you verify that the certificate and CTL are
installed on the DCs local cert store?
HTH
"ODG" <ODG@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:C16FA043-8E4A-4C3F-909B-9F842319B0A3@xxxxxxxxxxxxxxxx
I have been trying to setup LDAPS on my domain controllers to allow an
AD
password reset option from a Juniper SSL box to access AD.
I have followed the following article
http://support.microsoft.com/kb/321051
and installed the certificate and used LDP.exe to try to connect to
636
on
the domain controller but only receive the following error:
ld = ldap_sslinit("myserverver.FQDN", 636, 1);
Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to myserverver.FQDN
I have used netstat -a and can see that the DC is listening on port
636
so
am not sure why it's not allowing me to connect.
I'm sure I'm missing something quite straight forward but cannot see
what.
Any help would be gratefully received.
Thanks,
ODG
.
- Prev by Date: Re: LDAP Query issues... again..
- Next by Date: AD and Subdirectory Rights? Office .tmp files?
- Previous by thread: Re: LDAPS
- Next by thread: Re: Kindly Advice - NT to Windows 2003 domain Upgrade
- Index(es):
Relevant Pages
|
