none
LDAPS on a Trusted Domain

    Question

  • I’m trying to configure LDAPS on domain controllers using certificates from another domain. It’s not working correctly and I need some guidance.  This is what I have in place:

    Two-way trust with selective authentication
    Domain 1 has an AD Integrated CA and two DCs
    Domain 2 has two DCs that I’m trying to configure LDAPS on

    I’ve imported the root certificate from Domain 1 onto both DCs in Domain 2. I placed it in the Trusted Root Certificates store. I then generated req files on Domain 2’s DCs using the steps from this article: https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

    When I test LDAPS via LDP.exe, it can’t connect. Does anyone have any suggestions?

    Thursday, February 16, 2017 1:12 AM

All replies

  • Hi,
    Have you checked the following article regarding to troubleshoot LDAP over SSL? Please firstly follow it and see if it helps:
    https://blogs.technet.microsoft.com/askds/2008/03/13/troubleshooting-ldap-over-ssl/

    In addition, do you get more detail error message or events in the event viewer?

    Best regards,
    Wendy


    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    • Proposed as answer by Todd Heron Thursday, February 16, 2017 12:37 PM
    Thursday, February 16, 2017 8:03 AM
    Moderator
  • Hi Wendy,

    Thank you for your reply. I've discovered it's an issue with the private key. I'm seeing Schannel errors in Event Viewer. Event ID 36869. The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

    I created the certificate by creating a .req file using the Custom Certificate Request Wizard, submitted it to the CA in Domain 1 and then imported the certificate it generated. Despite marking the private key as exportable, I don't seem to be able to export it with the private key.


    Thursday, February 16, 2017 6:30 PM
  • Hi,
    Great share and feedback, it will be greatly helpful to others who have the same question.
    However, as you said, of the cause is related to certificate, it seems to be out of the Directory Services forum. In this case, you could post the questions in the security forum which is focusing on certificate issue:
    https://social.technet.microsoft.com/Forums/windowsserver/en-US/home?forum=winserversecurity
    The reason why we recommend posting appropriately is you will get the most qualified pool of respondents, and other partners who read the forums regularly can either share their knowledge or learn from your interaction with us. Thank you for your understanding.
    Best regards,
    Wendy

    Please remember to mark the replies as answers if they help.
    If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

    Monday, February 20, 2017 9:42 AM
    Moderator