none
KB260126 (MS11-086) broke LDAP over SSL

    Question

  • After applying KB260126 (MS11-086) on both Windows Server 2003 SP2 and Windows Server 2008 R2 domain controllers, I can no longer connect (run ldp.exe) to my domain controllers via port 636 using SSL.

    I removed KB260126 from one of the 2003 DCs, and the secure LDAP via port 636 started to work again; and I re-installed KB260126 on the same 2003 DC, it broke secure LDAP again.

    What do I need to do to fix this?

    Thanks and regards.

    • Moved by Bruce-Liu Friday, December 09, 2011 8:10 AM (From:Directory Services)
    Wednesday, December 07, 2011 11:14 PM

Answers

All replies

  • If the above patch is creating the problem dont install the same on the server.Unless and until there is strong business requirement to install the same.

    There are certain patch which are recommended to install but there might be some components or drivers on the server which might not be compatible with the patch and hence causes the issue.


    Regards,
    Sandesh Dubey.
    -------------------------------
    MCSE|MCSA:Messaging|MCTS|MCITP:Enterprise Adminitrator
    My Blog: http://sandeshdubey.wordpress.com
    This posting is provided AS IS with no warranties, and confers no rights.

    Thursday, December 08, 2011 4:14 AM
  • Hi,

     

    Since there is no KB260126, I assume it is KB2616310 in MS11-086.

     

    I tested in my lab and LDAPS connection worked fine with KB2616310 installed. Currently, please first make sure you have restarted the server after installing this update. Then, apply this hotfix:

     

    You may be unable to connect to a Windows Server 2003-based domain controller by using LDAP over an SSL connection

    http://support.microsoft.com/kb/932834

     

    If the problem continues, to get further research, please help collect the following information:

     

    1.    If you cannot connect to the server by using port 636, what errors have been generated by Ldp.exe?

    2.    View the Event Viewer to check if there is any relevant error.

     

    Regards,

     

    Bruce

    Forum Support

    Please remember to mark the replies as answers if they help and unmark them if they provide no help. If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

    • Edited by Bruce-Liu Friday, December 09, 2011 8:10 AM
    Friday, December 09, 2011 8:06 AM
  • Sorry for the typo. It's KB2601626 (for AD LDS), not KB2616310 (for ADAM), both under MS11-086.

    After applying KB2601626 to both Windows 2003 SP2 and Windows 2008 R2 DCs, LDAPS (ldp.exe) fails to connect to Windows 2003 DCs with the following error:

    ld = ldap_sslinit("dc02", 636, 1);
    Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
    Error <0x51> = ldap_connect(hLdap, NULL);
    Server error: <empty>
    Error <0x51>: Fail to connect to dc02.

    DC running Windows 2008 is ok. On the failed Windows 2003 DC, the "event 36869" "source schannel" is saying:

    The SSL server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

    I have my CA issued new certs for both 2003 and 2008 DCs, and verified the certs, which are valid. But it's only an issue with the 2003 DC.

    I applied the hotfix KB932834 on the 2003 DC, issued a new cert and rebooted. But this did not fix the problem.

    Thanks and regards.

    Friday, December 09, 2011 11:11 PM
  • Hi,

     

    I installed KB2601626 (for AD LDS) on Windows Server 2003 in my lab. LDAPS connection still works fine

     

    Currently, I suggest you refer to the following articles to troubleshoot this problem:

     

     

    How to troubleshoot LDAP over SSL connection problems

    http://support.microsoft.com/kb/938703

     

    Troubleshooting LDAP Over SSL

    http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx

     

    Hope this helps.

     

    Regards,

    Bruce

    • Marked as answer by Fat Frog Tuesday, December 13, 2011 3:19 AM
    Tuesday, December 13, 2011 2:04 AM
  • Thanks for the link (KB938703) which points out what my problem was. There was in the list another cert, which I have deleted; and now LDAPS works.

    Step 3: Check for multiple SSL certificates

    Determine whether multiple SSL certificates meet the requirements that are described in step 1. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. A conflict with a certification authority (CA) certificate may occur if the CA is installed on a domain controller that you are trying to access through LDAPS.

    Tuesday, December 13, 2011 3:23 AM
  • Hi,

     

    Glad to hear the information I provided was useful. If you have more questions in the future, you’re welcomed to this forum.

     

    Have a nice day!

    Tuesday, December 13, 2011 4:36 AM