Microsoft KB Archive/296975

= Unable to Connect to a Domain Controller by Using LDAP Connection over SSL =

Article ID: 296975

Article Last Modified on 3/1/2007

-

APPLIES TO


 * Microsoft Windows 2000 Service Pack 1
 * Microsoft Windows 2000 Advanced Server
 * Microsoft Windows 2000 Service Pack 1

-



This article was previously published under Q296975



SYMPTOMS
When you try to establish a Lightweight Directory Access Protocol (LDAP) connection to a domain controller over Secure Socket Layer (SSL), the connection may be unsuccessful. This happens when the CRL Distribution Point (CDP) path for the domain controller certificate is an LDAP URL rather than an HTTP URL.



CAUSE
This behavior can occur because in order to set up the SSL connection, the client must validate the domain controller's SSL certificate. Part of this process is checking the Certificate Revocation List (CRL) to see whether the certificate has been revoked. If the CRL is not already cached on the client, then the client must query Active Directory to get the list.

In this instance, SChannel.dll does not receive the default credentials of the client and therefore cannot make an authenticated connection to Active Directory to check the CRL. This results in the certificate's being invalidated, and the SSL connection is not established.



RESOLUTION
To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack



STATUS
Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 2.

Keywords: kbbug kbfix kbwin2000presp2fix kbqfe KB296975

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.