Microsoft KB Archive/814662

= You cannot reach a Domain Controller on port 636 with the IP Address using LDP.exe =

Article ID: 814662

Article Last Modified on 3/6/2007

-

APPLIES TO


 * Microsoft Windows 2000 Server
 * Microsoft Windows 2000 Advanced Server

-



SYMPTOMS
When you try to access the Active Directory with LDP.exe using SSL (LDAP over port 636), you cannot use the IP Address of the domain controller, you have to use the name (either host name or FQDN).



CAUSE
This problem occurs because on the client side the system compares the name stored in the certificate (&quot;Subject&quot; and &quot;Subject Alternative Name&quot; fields) with the name specified for the connection (here the IP address). As they don't match authentication fails and client get an error.



RESOLUTION
Instead of using the IP address to reach the domain controller, use its name (either host name or FQDN).



STATUS
This behavior is by design.



MORE INFORMATION
With Schannel.dll event logging high, you can see the following event: Event Type: Error

Event Source: Schannel

Event Category: None

Event ID: 36884

Date: 11/02/2003

Time: 11:11:00

User: N/A

Computer: WORKSTATION

Description: The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is 192.168.0.1. The SSL connection request has failed. The attached data contains the server certificate.

To activate the verbose mode in event logging for schannel.dll you can need to get the checked version of schennel.dll from Microsoft support.

Keywords: kbcertservices kbinfo kbactivedirectory KB814662

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.