none
Error Enabling LDAP over SSL RRS feed

  • Question

  • I just upgraded our domain to Windows 2008 R2. We have a need to enable LDAP over SSL in our environment, so I created and submitted a certificate request to a 3rd party CA using the instructions provided in this Microsoft KB article: http://support.microsoft.com/kb/321051

    When it came to importing the signed certificate from the CA, the above KB article references a new procedure/method for 2008 and newer in which it states to "add the certificate to the NTDS service's Personal certificate store". It then references this article for instructions on how to do this:http://technet.microsoft.com/en-us/library/dd941846(WS.10).aspx

    I followed the instructions in the above article, but when I tried to confirm LDAP over SSL was configured properly by using the LDP.exe utility, I get an error:

    ld = ldap_sslinit("dc1.valleycare.us", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error: <empty>
    Error <0x51>: Fail to connect to dc1.valleycare.us.
    

    Additionally, there are events being logged in the System event log:

    Log Name:   System
    Source:    Schannel
    Date:     6/8/2011 4:47:03 PM
    Event ID:   36888
    Task Category: None
    Level:     Error
    Keywords:   
    User:     
    Computer:   DC1
    Description:
    The following fatal alert was generated: 48. The internal error state is 552.
    
    Log Name:   System
    Source:    Schannel
    Date:     6/8/2011 4:47:03 PM
    Event ID:   36882
    Task Category: None
    Level:     Error
    Keywords:   
    User:     
    Computer:   DC1.valleycare.us
    Description:
    The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.

    When I contacted the 3rd party CA (Thawte) for support, they weren't aware of Microsoft's recommendation to use the NTDS service's Personal certificate store for 2008 and above. They suggested using the method used for older OS's and putting it in the local machine's Personal store. They also mentioned that I need to add their certificates to the Intermediate Certificate Store, but there was no mention of that in Microsoft's KB article.

    Can anyone help me out with this issue?

    Thank you.

    Thursday, June 9, 2011 3:46 AM

All replies

  • Anyone just want to confirm how they imported 3rd party SSL certs in order to enable LDAP over SSL on 2008 R2?
    Friday, June 10, 2011 5:03 AM
  • I have the same issue as well. Any help on this would be great.

    Thanks in advance.

    Friday, August 24, 2012 5:59 AM
  • as you can see from the error message, the root CA (of the chain that issued the certificate) is not trusted by the computer. verify that the third-party ROOT CA installed in the Local Computer's Trusted Root Certification Authorities, on both the DC and the client from which you try connecting.

    ondrej.

    Sunday, August 26, 2012 1:24 PM
  • as you can see from the error message, the root CA (of the chain that issued the certificate) is not trusted by the computer. verify that the third-party ROOT CA installed in the Local Computer's Trusted Root Certification Authorities, on both the DC and the client from which you try connecting.

    ondrej.

    I'm having the same issue and I've verified that the root CA and all intermediates are trusted.  I've also enabled Schannel logging, with logging value  at 7, which was useless when trying to determine the cause of the error.

    Anyone figure out the cause of this event?

    Wednesday, May 15, 2013 12:20 PM
  • you said that the DC cert has been issued by a third party CA. please, open the certificate and verify what CAs are in its chain. you need to have the root CA in Trusted Root Certification Authorities, while all the intermediate CAs (if any) in the Intermediate Certification Authorities.

    I would also go first with putting all the certificates into Local Computer certifciate store instead of the NTDS service's and tried.

    you also need to be able verify the DC's certificate revocation for local system. you can do it with the commands found in my article:

    http://www.sevecek.com/EnglishPages/Lists/Posts/Post.aspx?ID=13

    ondrej.

    Wednesday, May 15, 2013 2:16 PM
  • if you are testing with LDP, the CA must also be trusted on the client part and its revocation must be available as well on the client part.

    ondrej.

    Wednesday, May 15, 2013 2:17 PM
  • I've verified the certificate chain and the certificate is in the local computer store.

    I'm able to connect from a client that trusts the same root CA.  

    The errors still occur in the event log.

    Wednesday, May 15, 2013 2:21 PM
  • would you be able to verify that the certificate is really in RSA Schannel Cryptographic Services Provider on the DC:

    CERTUTIL -repairstore my *

    and lookup the field called Provider:

    ondrej.

    Thursday, May 16, 2013 2:52 PM
  • I did, and it is.
    Thursday, May 16, 2013 3:11 PM
  • then sorry, I have completelly ran out of any ideas :-( that would be passable this way remotelly.

    ondrej.

    Thursday, May 16, 2013 3:15 PM