4

I have a domain controller, which has Active Directory (AD). I want to turn on LDAPS on this AD, so that I could access the AD via secure connection. I have followed the following guide: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

I have done everything in "Publishing a Certificate that Supports Server Authentication" and "Exporting the LDAPS Certificate and Importing for use with AD DS". When I try to netstat, I can see that port 636 is open, but its IP address is 0.0.0.0, which supposedly means that it cannot be accessed from outside. The plain LDAP does work and I can both connect to it and see it in netstat as open both for 0.0.0.0 and my domain controller's IP address, but I cannot access the domain controller via LDAPS.

What is the problem? Have I missed some step in this guide? What do I need to do extra? I have tested LDAP and LDAPS connection with Active Directory Administration Tool.

This is the output I get from LDP.EXE:

ld = ldap_sslinit("10.165.0.10", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.165.0.10.
Jonas Hoffmann
  • 169
  • 1
  • 1
  • 6
  • 1
    0.0.0.0 means all interfaces, can you telnet port 636? – dawud Mar 23 '15 at 23:18
  • @dawud yes, I can. – Jonas Hoffmann Mar 24 '15 at 06:44
  • Have you tried manually connecting to the AD LDAPS endpoint and retrieving the certificates? (by means of a command line client) have you triend binding locally and remotely? From what you say, the service is listening in all interfaces and you should be able to use it. – dawud Mar 24 '15 at 07:34
  • @dawud Well, I used AD Administration Tool to connect to my AD both via LDAP and LDAPS. Do you mean something else? If yes, please provide information on how to do that or where to find more information. What do you mean by saying to bind locally and remotely? I did try to connect to AD from another computer. – Jonas Hoffmann Mar 24 '15 at 08:15
  • I have updated my original post with extra information. I also tried to connect to LDAPS from the domain controller itself, but it is the same error. – Jonas Hoffmann Mar 24 '15 at 08:25
  • Nevermind, I did find what the problem was. Read my answer. – Jonas Hoffmann Mar 24 '15 at 09:20

2 Answers2

2

The problem was that I used the IP address when trying to connect, while the certificate was issued for a DNS name. Now it works.

Jonas Hoffmann
  • 169
  • 1
  • 1
  • 6
0

Our company worked on this for 2 weeks. I've read 100's of articles on this issue. In the end it was a cert name mismatch. The only thing our application was seeing was error 81. The worst part LDP.exe was successfully authenticating. Even our webservices would properly authenticate, but our application the second it got the ACK RST from the ldap server it would instantly error 81. We used host files on the windows server to match the IP to the DNS expected and it started working.

Justin Sciacca
  • 1