Re: Enable LDAP over SSL

From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Aug 2007 17:11:51 -0500

You will need the full cert chain on the DCs, but you should not need the
full chain on the client as AD should provide the whole chain to the client
during the SSL negotiation.

There are usually useful error messages in the system event log from
schannel and sometimes errors from LDAP in the Directory Service log when
there are SSL configuration problems.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:u8NRwU34HHA.2312@xxxxxxxxxxxxxxxxxxxxxxx

I have seen this fail when the CA cert from the third party isn't properly
imported into both the client and all dc's cert stores.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"DavidL" <DavidL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E29AF6C3-FAE2-4BCD-AA1A-FBB5A3DA45A2@xxxxxxxxxxxxxxxx

I followed the instructions in KB321051 to install a certificate.
I got to the section "Verifying an LDAPS connection" and cannot connect
to
636 or 3269. Error <0x51>: Fail to connect
389 works fine.
I don't see an _ldap entry in DNS.
The domain controller I'm working with has no IIS and our network has no
CA

Follow-Ups:
- Re: Enable LDAP over SSL
  - From: Paul Bergson [MVP-DS]
- Re: Enable LDAP over SSL
  - From: DavidL

References:
- Re: Enable LDAP over SSL
  - From: Paul Bergson [MVP-DS]

Prev by Date: Re: Collapse a forest -- how?
Next by Date: Re: Collapse a forest -- how?
Previous by thread: Re: Enable LDAP over SSL
Next by thread: Re: Enable LDAP over SSL
Index(es):
- Date
- Thread

Relevant Pages

Re: Enable LDAP over SSL
... Didn't know the DC provided the chain to its clients. ... install them into their store? ... client during the SSL negotiation. ... Joe Kaplan-MS MVP Directory Services Programming ...
(microsoft.public.windows.server.active_directory)
Re: LDP client authentication fails
... were working on some docs to clarify how client cert auth works with LDAP ... Joe Kaplan-MS MVP Directory Services Programming ... the client certificate can be used. ... If not then server can never authenticate the client. ...
(microsoft.public.windows.server.active_directory)
Re: Enable LDAP over SSL
... with the client will provide the whole chain to the client if the server ... The server's cert if often issued by a CA that you don't have ... Joe Kaplan-MS MVP Directory Services Programming ...
(microsoft.public.windows.server.active_directory)
Re: DNS Record
... MVP - Directory Services ... But the client pc still update with the new record after 10 mis. ... /dns then get updated dns record. ...
(microsoft.public.windows.server.dns)
Re: accessing emails using owa ... traceable?
... If they access diffent mailboxes from the same client, ... "Joe Kaplan" wrote: ... When the user is behind a firewall router, ... Co-author of "The .NET Developer's Guide to Directory Services Programming" ...
(microsoft.public.dotnet.security)