Re: LDAPS connection error on 636

I dd see this error
--------------------------------------
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36872
Date: 4/13/2007
Time: 8:33:10 AM
User: N/A
Computer: ANDC03
Description:
No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an application
is the directory server. Applications that manage their own credentials, such
as the internet information server, are not affected by this.

For more information, see Help and Support Center at
http://go.microsoft.com/fwlink/events.asp.
--------------------------------------
The cert s issued from VeriSign and I instaled per the directionsof the KB I
listed below. The cert is in the personal folder and I am running ldp.exe
from DC it is installed on for testing.


"Joe Kaplan" wrote:

Do you see an error from schannel in the System event log that corresponds
to the failure on either the client or the DC? Generally, SSL problems will
be related to either the server having problems using the certificate you
issued or the client won't trust the certificate for some reason.

On the server side, sometimes the server does not have the private key for
the cert installed correctly or the cert is in the wrong store. Also,
depending on who issued the certificate, the server may not trust it.

If the server is able to process the certificate correctly, then on the
client side, the issue is usually either that the client does not trust the
server's cert because its issuer doesn't chain to a trusted root on the
client machine or the DNS name of the cert does not match the DNS name used
to connect to the server.

Usually, an error from schannel in the System event log will give you
details regarding the exact nature of the problem.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Shon Miles" <ShonMiles@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:95AB5BA1-5DB5-40ED-965F-A8631D1721EA@xxxxxxxxxxxxxxxx
I just followed this article,
http://support.microsoft.com/default.aspx/kb/321051, and I have the cert
back
and installed and rebooted but when I do the connection attempt I get this
message:

ld = ldap_open("ourDCname here", 636);
Error <0x51>: Fail to connect to ourDCname here.

Any ideas?



.

Relevant Pages

  • Re: IIS website - only allow users with client cert from our CA. P
    ... Rootyou wish to permit certificates issued from for access to your site. ... our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: IIS website - only allow users with client cert from our CA. Possi
    ... > Why does IIS allow me to see my website when it doesn't have ... > our CA's client cert? ... I only have a server certificate from our CA ...
    (microsoft.public.inetserver.iis.security)
  • Re: Sendmail [was OpenSSL]
    ... This is only the first time I've tried a secure email server. ... something very different then the client certificates as ipop3d.pem. ... FC2's cert dir within sendmail.mc is by default /etc/mail/certs. ... STARTTLS being active for PLAIN and LOGIN AUTH. ...
    (Fedora)
  • Reuse of Remoting Channels...
    ... makes it possible for the server to know the identity of the caller. ... If my client is on the other side of a Windows 'realm' (as in the ... RemotingConfiguration options) to reject any clients whose credentials ... "Remoting server cannot be reached. ...
    (microsoft.public.dotnet.framework.remoting)
  • Re: SSPI Kerberos for delegation
    ... We want the authentication to happen without providing credentials ... But SSPI while authenticating from the client to the server can do mutual ...
    (comp.protocols.kerberos)
Loading