Microsoft KB Archive/938703

= How to troubleshoot LDAP over SSL connection problems =

Article ID: 938703

Article Last Modified on 8/13/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition (32-bit x86)
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Datacenter Server

-



INTRODUCTION
This article discusses how to troubleshoot LDAP over SSL (LDAPS) connection problems.



MORE INFORMATION
To troubleshoot LDAPS connection problems, follow these steps.

Step 1: Verify the Server Authentication certificate
Make sure that the Server Authentication certificate that you use meets the following requirements:  The Active Directory fully qualified domain name of the domain controller appears in one of the following locations:  The common name (CN) in the Subject field The Subject Alternative Name (SAN) extension in the DNS entry  The enhanced key usage extension includes the Server Authentication object identifier (1.3.6.1.5.5.7.3.1). The associated private key is available on the domain controller. To verify that the key is available, use the certutil -verifykeys command. The certificate chain is valid on the client computer. To determine whether the certificate is valid, follow these steps: <ol> On the domain controller, use the Certificates snap-in to export the SSL certificate to a file that is named Serverssl.cer.</li> Copy the Serverssl.cer file to the client computer.</li> On the client computer, open a Command Prompt window.</li> At the command prompt, type the following command to send the command output to a file that is named Output.txt:

certutil -v -urlfetch -verify serverssl.cer > output.txt

Note To follow this step, you must have the Certutil command-line tool installed. For more information about how to obtain Certutil and about how to use Certutil, visit the following Microsoft Web sites:

Understanding user key recovery

http://technet2.microsoft.com/windowsserver/en/library/237d6abc-d0c0-454a-9b72-e3955664e3d31033.mspx?mfr=true

How to use the latest version of Certutil on non-Windows Server 2003 computers

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/webenroll.mspx#EBCBG

</li> Open the Output.txt file, and then search for errors.</li></ol> </li></ul>

Step 2: Verify the Client Authentication certificate
In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. If such a certificate is available, make sure that the certificate meets the following requirements:  The enhanced key usage extension includes the Client Authentication object identifier (1.3.6.1.5.5.7.3.2).</li> The associated private key is available on the client computer. To verify that the key is available, use the certutil -verifykeys command.</li> The certificate chain is valid on the domain controller. To determine whether the certificate is valid, follow these steps: <ol> On the client computer, use the Certificates snap-in to export the SSL certificate to a file that is named Clientssl.cer.</li> Copy the Clientssl.cer file to the server.</li> On the server, open a Command Prompt window.</li> At the command prompt, type the following command to send the command output to a file that is named Outputclient.txt:

certutil -v -urlfetch -verify serverssl.cer > outputclient.txt

</li> Open the Outputclient.txt file, and then search for errors.</li></ol> </li></ul>

Step 3: Check for multiple SSL certificates
Determine whether multiple SSL certificates meet the requirements that are described in step 1. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. A conflict with a certification authority (CA) certificate may occur if the CA is installed on a domain controller that you are trying to access through LDAPS.

Step 4: Verify the LDAPS connection on the server
Use the Ldp.exe tool on the domain controller to try to connect to the server by using port 636. If you cannot connect to the server by using port 636, see the errors that Ldp.exe generates. Also, view the Event Viewer logs to find errors. For more information about how to use Ldp.exe to connect to port 636, click the following article number to view the article in the Microsoft Knowledge Base:

321051 How to enable LDAP over SSL with a third-party certification authority

Step 5: Enable Schannel logging
Enable Schannel event logging on the server and on the client computer. For more information about how to enable Schannel event logging, click the following article number to view the article in the Microsoft Knowledge Base:

260729 How to enable Schannel event logging in IIS

Note If you have to perform SSL debugging on a computer that is running Microsoft Windows NT 4.0, you must use a Schannel.dll file for the installed Windows NT 4.0 service pack and then connect a debugger to the computer. Schannel logging only sends output to a debugger in Windows NT 4.0.

Keywords: kbexpertiseadvanced kbhowto kbinfo KB938703

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.