none
LDAPerr: DSID-0C090FB4

    Question

  • Anyone have a list of all possible LDAP errors deciphered?  We're getting the one shown in the subject, DSID-0C090FB4, whenever a specific application tries to do an LDAP authentication.  More specifically, the authentication doesn't fail, but the request for a TLS connection fails.   "LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580"  I want to know why this error is happening.

    This happened suddenly after our DC reboots due to Windows Updates.  All other applications are operating as normal. 

    We have Windows 2012 R2 (AD operating level 2012.)  The authenticating application is Linux based, and of course, they insist their request is well formed.  

    Anyway, that specific error code doesn't seem to show up on the internet at all.  I thought everything existed on the internet, but apparently I'm wrong. 

    thanks for anything you can offer.

    Tuesday, December 20, 2016 7:22 PM

Answers

  • Got it fixed, so I figured I'd dump the answer for future reference.  I never figured out exactly why the error occurred on two machines at the same time, but both machines decided that their self-signed certs were no longer good enough.  We issued new certificates from our CA and it worked again.  

    Now, I still want for an answer as it doesn't explain why these two DCs decided to change behavior.  What's preventing other DCs from doing the same?  We have 6 DCs total, all were setup about the same.  Only two went weird.  Plus they worked fine before.  Obviously I know certs expire over time, but no certificate on the machine expired recently (there was one that expired in March, but it was a special use cert not used).  

    And above all else, why couldn't the error be a bit clearer?

    TL;DR:  "LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580" means you need a new CA issued cert.

    Wednesday, December 21, 2016 5:40 PM

All replies

  • Hi,
    Agree with you that there is no information about this error DSID-0C090FB4 on the internet.
    However, according to error message “Error initializing SSL/TLS, data 0”, it might be that SSL connection is not created with AD. Maybe, you could start here.
    Please see: https://community.helpsystems.com/forums/intermapper/intermapper-datacenter/989050e1-fa83-e511-80cf-0050568460e4
    Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Wednesday, December 21, 2016 6:59 AM
    Moderator
  • > I want to know why this error is happening.
     
    Do a network trace on the computer initiating the LDAPS connection. Identify the cipher suites that the client sends and the ones the DC returns. Most probably, you have to remove some cipher suites on the DC side.
    If cipher suites are not the cause, anyway the trace will help to understand what's going on.
     
    Wednesday, December 21, 2016 9:59 AM
  • From the error it seems the application requirement is that AD Server should have at least SSL protocol enabled and a self signed certificate applied.

    To verify if SSL is enabled or not, please check the value for HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client\DisabledbyDefault (1 is enabled and 0 is disabled)

    Also check the certificate store of the AD verify all certificate are trusted or are valid with chain or not.

    Wednesday, December 21, 2016 12:46 PM
  • Got it fixed, so I figured I'd dump the answer for future reference.  I never figured out exactly why the error occurred on two machines at the same time, but both machines decided that their self-signed certs were no longer good enough.  We issued new certificates from our CA and it worked again.  

    Now, I still want for an answer as it doesn't explain why these two DCs decided to change behavior.  What's preventing other DCs from doing the same?  We have 6 DCs total, all were setup about the same.  Only two went weird.  Plus they worked fine before.  Obviously I know certs expire over time, but no certificate on the machine expired recently (there was one that expired in March, but it was a special use cert not used).  

    And above all else, why couldn't the error be a bit clearer?

    TL;DR:  "LdapErr: DSID-0C090FB4, comment: Error initializing SSL/TLS, data 0, v2580" means you need a new CA issued cert.

    Wednesday, December 21, 2016 5:40 PM