none
LDAP connection error over SSL 636 port

    Question

  • Hi All,

    In the servers we are unable to create LDAP connection over SSL(port 636). ADAM server has valid certificates under Computer\Personal folder. Network service has required permissions on the machine keys.

    Error details: ld = ldap_sslinit("tmachn1.dnsroot.biz", 636, 1);
    Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
    Error <0x51> = ldap_connect(hLdap, NULL);
    Server error: <empty>
    Error <0x51>: Fail to connect to machn1.dnsroot.biz.

     

    1220 error in event viewer.

     

    Error Details:

    Source: ADAM Category: LDAP instance

    LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
     
    Additional Data
    Error value:
    8009030e No credentials are available in the security package

     

     

    This is causing login issues to SharePoint external users through ECTS. Certificates are ok.

     

    Your help will save me a lot. Please advice on this.

     

    I am expecting quick replies from valued Microsoft. Please respond me ASAP.

     

    ------------

    v235

    Monday, June 27, 2011 12:14 PM

Answers

  • Hi All,

     

    thanks for all ur replies... I got it resolved ...

    I removed all the certificates from Compute/Personal and ECTS/Personal location. I renewed new certificate and it got installed in Compute/Personal and gave permissions to Network Services on Machine Key.

    Its all working fine with new certificate.


    cheers...

     

    ----------

    Regards

    venkat

     

    Tuesday, June 28, 2011 9:28 AM

All replies

  • Check the Cer have a valid private key

    Regards,

    Ganesh

    www.windowstricks.in


    Regards www.windowstricks.in
    Monday, June 27, 2011 12:49 PM
  • Thanks Ganesh, for quick response.

    Certificate is Having the Private key. On certificate its showing " You have a Private Key that corresponds to this certificate ".

    Any other location to check.

     

    -----

    regards

    venkat

     

     

    Monday, June 27, 2011 12:56 PM
  • Hi,

    Did you move the cer to ADAM instance Personal Store (it seems cet been in local Personal folder)

    Move Cer from the Local Computer personal store to the ADAM Service personal store and restarted the ADAM service and tru again

    and also try SSL Diagnostics Tool

    http://www.microsoft.com/download/en/details.aspx?id=674

    Regards,

    Ganesh

    www.windowstricks.in


    Regards www.windowstricks.in
    Monday, June 27, 2011 1:50 PM
  • Below article might help you to troubleshoot.

    Troubleshooting LDAP Over SSL

    http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

    http://social.technet.microsoft.com/wiki/contents/articles/2980.aspx

    http://policelli.com/blog/archive/tag/ldap-over-ssl/

     

    Regards


    Awinish Vishwakarma| CHECK MY BLOG 

    Disclaimer: This posting is provided AS-IS with no warranties or guarantees and confers no rights.

    Monday, June 27, 2011 2:07 PM
    Moderator
  • Hi Ganesh,

    I did already this step. when is use certutil -verify command, below error is showing.

     

    The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    ------------------------------------
    Revocation check skipped -- server offline

    ERROR: Verifying leaf certificate revocation status returned The revocation function was unable to check revocation because the revocation server was offline. 0x80092013 (-2146885613)
    CertUtil: The revocation function was unable to check revocation because the revocation server was offline.

    CertUtil: -verify command completed successfully.

     

    Is this causing the issue.

     

     

     

    Monday, June 27, 2011 2:50 PM
  • Hi Awinish,

     

    thanks for reply... no help from those links.

    Can you suggest any check list of points to check the connection.

    -----------

    Regards

    V235

    Monday, June 27, 2011 3:28 PM
  • Hey there. Has this ever worked? Or is this a new setup? Your comment about sharepoint makes it sound like it had been working in some fashion and now it's broken, so something must have changed. If they are new certs, how did you request them? Internal or external CA? Can you telnet to port 636 on the DC? Do you have all the necessary common and subject alternative names present on the cert? Sorry for all the questions, just trying to get some background.
    Monday, June 27, 2011 7:24 PM
  • Hi... It was working fine from 2 years, all of a sudden its giving problem. The internal certificate was request on 24-feb-11 and will expires on 24-feb-2012. Able to do telnet for port 389 and 636 ports of ADAM server. The Subject name is FQDN of the ADAM server.

     

    Tuesday, June 28, 2011 6:04 AM
  • Run the below command and post the result

    "certutil -verify –urlfetch"

    Regards,

    Ganesh

    www.windowstricks.in


    Regards www.windowstricks.in
    Tuesday, June 28, 2011 7:57 AM
  • Hi All,

     

    thanks for all ur replies... I got it resolved ...

    I removed all the certificates from Compute/Personal and ECTS/Personal location. I renewed new certificate and it got installed in Compute/Personal and gave permissions to Network Services on Machine Key.

    Its all working fine with new certificate.


    cheers...

     

    ----------

    Regards

    venkat

     

    Tuesday, June 28, 2011 9:28 AM
  • This was causing my problems while enabling SSL, as i had only installed the server certificate to the computer's personal store. Thanks!
    Wednesday, November 26, 2014 9:26 AM