Monday, July 16, 2007

Unable to connect to Active Directory via LDP on port 636

I am able to connect with ldp via port 389. I have run netstat/netdiag/and dcdiag with no issues.

However, when I try to connect using LDP via 636 and using an IP address as the server, I receive the following error:
ld = ldap_open("M.Y.I.P", 636);
Error <0x51>: Fail to connect to M.Y.I.P.

This says that is by design
http://support.microsoft.com/kb/814662

This indicates the problem is likely name resolution:
http://forum.java.sun.com/thread.jspa?threadID=645000&messageID=3824603

That works from the server using windowsdomain.domain.org. Still cannot connect via remote client.

This link:
http://www.pgina.org/?page_id=6
indicates that if you can connect via 389 but not 636 then you have a certificate problem.

The server event logs showed:
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36869
Date: 7/16/2007
Time: 7:31:05 PM
User: N/A
Computer: SERVER
Description:
The SSL client credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

I reinstalled the certificate from server/certsrv and still have the same unable to connect, but now i no longer get any event log messages.

THis post
http://www.eggheadcafe.com/aspnet_answers/windowsserveractive_directory/May2006/post26947443.asp

Suggests looking in the client machine event log, duh...
Event Type: Error
Event Source: Schannel
Event Category: None
Event ID: 36884
Date: 7/16/2007
Time: 8:03:44 PM
User: N/A
Computer: ME
Description:
The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is windowsdomain.domain.org. The SSL connection request has failed. The attached data contains the server certificate.

This tells you how to enable events in schannel:
http://support.microsoft.com/?id=260729

However, none of this explains how to fix the actual problem. How do you verify/change the name on the certificate that the server issues? it seems that ldp wants it to be the same fqdn that you use to address the server. however, that cannot be how mine is named, as i get the same error message when i tell the remote ldp client to use windowsdomain.domain.org.

Got it - from a remote machine, you have to use servername.windowsdomain.domain.org aka fqdn - dimwit.

This is ugly, as that is not a dns A record i want floating around out there. How to change the msft certificate services to issue a friendlier name, e.g. ldap.domain.org....?

This says you cannot change the name:
http://articles.techrepublic.com.com/5100-6345_11-5643908.html
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)