none
Fail to Connect to MS Active Directory using LDAP

    Question

  • Hello, 

        I need to contact to MS AD thru LDAP SSL using Java. The server admin gave me a certificate for the SSL connection. I am trying to connect thru different resources (other than my Java app), but just can't get it thru. I use ldaps://XX.XX.XX.XX:636

    1. Using IE, it asks for an app required. On clicking "ok", it asks to enter Name & Email. On entering Name & Email, the popup would just keep coming.
    2. Using JXplorer browser (especially for LDAP), it could get successfully connected to 636 port, but gives error of cannot read any entry details.
    3. Using LDAP Admin browser, it would initially pop up error of “Could not verify the self-signed certificate”, if we click to proceed, it successfully shows 1st level of list (Hangs for next any level).
    4. With Java application, gives  handshake error – “simple bind failed: 10.9.91.55:636 [Root exception is javax.net.ssl.SSLHandshakeExceptionsun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target]
    5. On verifying the cert using Certutil -Verify -Urlfetch cert_export.cer

         On verifing the cert using Certutil -Verify -Urlfetch cert_export.cer cmd, on bottom I get this result :

    Verified Issuance Policies: All

    Verified Application Policies:

        1.3.6.1.5.5.7.3.1 Server Authentication

    Cannot check leaf certificate revocation status

    CertUtil: -verify command completed successfully.

     I have installed the certificate in Trusted Certificated under System Level, imported in Keystore and provide args for java app, and restarted; yet no success.

       Can anyone help me know what's the problem and how do I resolve it. I am stuck. 

       Any help is highly appreciated.

    Thanks


    Thanks
    If you find any answer helpful, then click "Vote As Helpful" and if it also solves your question then also click "Mark As Answer".

    Monday, April 17, 2017 6:18 PM

All replies

  • Hi,

    What's the certificate provided by server admin?

    Please try to import the root CA certificate into Trusted Root Certification Authorities store under both the computer and current logged on user account.

    In addition, please post out the complete result of command certutil -verify -urlfetch certname.cer.

    Best Regards,

    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Tuesday, April 18, 2017 8:13 AM
    Moderator
  • From your issue details, the SSL handshake is failing because of revocation verification error. There should be something missing even though you mentioned the required issuing and root CA certs are in the appropriate store.

    1. What is the result if you  run the certutil -verify -urlfetch command against the problem certificate from a different machine?

    2. What are the AIA/CDP path configured in the certificates? Is this an internal CA issued cert?

    3. What is the result if you access the AIA/CDP path manually?

    4. What error do you see in the Application event log at the time of the error?

    Tuesday, April 18, 2017 10:31 AM
  • Hi,

    Are there any updates at the moment?

    Best Regards,
    Amy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    Monday, April 24, 2017 10:19 AM
    Moderator