Re: Enable LDAP over SSL

From: DavidL <DavidL@xxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 20 Aug 2007 19:36:06 -0700

OK.... that gives me more to chew on.
I see this in the system log.
Event Type: Warning
Event Source: Schannel
Event Category: None
Event ID: 36872
Date: 8/20/2007
Time: 3:46:18 PM
User: N/A
Computer:
Description:
No suitable default server credential exists on this system. This will
prevent server applications that expect to make use of the system default
credentials from accepting SSL connections. An example of such an application
is the directory server. Applications that manage their own credentials, such
as the internet information server, are not affected by this.

and this in the directory service log

Event Type: Information
Event Source: NTDS LDAP
Event Category: LDAP Interface
Event ID: 1220
Date: 8/16/2007
Time: 3:51:10 PM
User: N/A
Computer:
Description:
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time
because the server was unable to obtain a certificate.

"Joe Kaplan" wrote:

You will need the full cert chain on the DCs, but you should not need the
full chain on the client as AD should provide the whole chain to the client
during the SSL negotiation.

There are usually useful error messages in the system event log from
schannel and sometimes errors from LDAP in the Directory Service log when
there are SSL configuration problems.

Joe K.

--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
"Paul Bergson [MVP-DS]" <pbergson@xxxxxxxxxxxxxxxxx> wrote in message
news:u8NRwU34HHA.2312@xxxxxxxxxxxxxxxxxxxxxxx

I have seen this fail when the CA cert from the third party isn't properly
imported into both the client and all dc's cert stores.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"DavidL" <DavidL@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:E29AF6C3-FAE2-4BCD-AA1A-FBB5A3DA45A2@xxxxxxxxxxxxxxxx

I followed the instructions in KB321051 to install a certificate.
I got to the section "Verifying an LDAPS connection" and cannot connect
to
636 or 3269. Error <0x51>: Fail to connect
389 works fine.
I don't see an _ldap entry in DNS.
The domain controller I'm working with has no IIS and our network has no
CA

Follow-Ups:
- Re: Enable LDAP over SSL
  - From: Joe Kaplan

References:
- Re: Enable LDAP over SSL
  - From: Paul Bergson [MVP-DS]
- Re: Enable LDAP over SSL
  - From: Joe Kaplan

Prev by Date: Re: Setup DFS over slow link 350 GB data
Next by Date: "net use" question
Previous by thread: Re: Enable LDAP over SSL
Next by thread: Re: Enable LDAP over SSL
Index(es):
- Date
- Thread

Relevant Pages

Re: Help with introducing Linux to the classroom.
... > machine or will a server install of SUSE 9.0 come with some kind of ... > directory services like Active Directory? ... SuSE has LDAP and NIS. ... LDAp is like Microsoft ADS. ...
(alt.os.linux.suse)
Re: ldapwhoami - failover tut nicht
... mehr am LDAP die Credentials überprüfen konnte. ... LDAP Server geht? ... so dass die LDAP-Clients garnix mitbekommen? ...
(de.comp.os.unix.networking.misc)
Re: Directory Services wont start
... directory services. ... outage but the generator had a problem so we were forced to shut the ... When we started the server back up, the LDAP directory ...
(comp.unix.solaris)
RE: LDAP single point of failure
... I've seen developers specify a domain name instead of a server name in the ... LDAP connection settings. ... JPolicelli, MVP - Directory Services ...
(microsoft.public.windows.server.active_directory)
LDAP Difficulties
... We are using SUN One Directory Server 5.2 for LDAP here. ... tend to use a lot of directory services the mailserver and the ...
(SunManagers)