Microsoft KB Archive/932834

= You may be unable to connect to a Windows Server 2003-based domain controller by using LDAP over an SSL connection =

Article ID: 932834

Article Last Modified on 10/11/2007

-

APPLIES TO


 * Microsoft Windows Server 2003, Standard Edition (32-bit x86)
 * Microsoft Windows Server 2003, Enterprise Edition
 * Microsoft Windows Server 2003, Datacenter Edition (32-bit x86)
 * Microsoft Windows Server 2003, Standard x64 Edition
 * Microsoft Windows Server 2003, Enterprise x64 Edition
 * Microsoft Windows Server 2003, Datacenter x64 Edition
 * Microsoft Windows Server 2003, Enterprise Edition for Itanium-based Systems
 * Microsoft Windows Server 2003, Datacenter Edition for Itanium-Based Systems

-



SYMPTOMS
When an expired certificate is renewed on a Windows Server 2003-based domain controller, you may be unable to connect to the domain controller by using the Lightweight Directory Access Protocol (LDAP) over a Secure Sockets Layer (SSL) connection.

When this problem occurs, the following event may be logged in the System log: Event Type: Error

Event Source: Schannel

Event Category: None

Event ID: 36876

Description:

The certificate received from the remote server has not validated correctly. The error code is 0x80090328. The SSL connection request has failed. The attached data contains the server certificate.



CAUSE
This problem occurs because the domain controller continues to use the expired certificate until the domain controller restarts.



Hotfix information
A supported hotfix is now available from Microsoft. However, this hotfix is intended to correct only the problem that is described in this article. Apply this hotfix only to systems that are experiencing this specific problem. This hotfix might receive additional testing. Therefore, if you are not severely affected by this problem, we recommend that you wait for the next Windows Server 2003 service pack that contains this hotfix.

To resolve this problem, submit a request to Microsoft Online Customer Services to obtain the hotfix. To submit an online request to obtain the hotfix, visit the following Microsoft Web site:

http://go.microsoft.com/?linkid=6294451

Note If additional issues occur or any troubleshooting is required, you might have to create a separate service request. The usual support costs will apply to additional support questions and issues that do not qualify for this specific hotfix. To create a separate service request, visit the following Microsoft Web site:

http://support.microsoft.com/contactus/?ws=support

Prerequisites
To apply this hotfix, you must have Windows Server 2003 Service Pack 1 or Windows Server 2003 Service Pack 2 installed. For more information, click the following article number to view the article in the Microsoft Knowledge Base:

889100 How to obtain the latest service pack for Windows Server 2003

Restart requirement
You must restart the computer after you apply this hotfix.

Hotfix replacement information
This hotfix replaces hotfix 917268. For more information about hotfix 917268, click the following article number to view the article in the Microsoft Knowledge Base:

917268 You may not be able to use LDAP over an SSL connection to connect to a domain controller when the domain controller is running Windows Server 2003 Service Pack 1

File information
The English version of this hotfix has the file attributes (or later file attributes) that are listed in the following table. The dates and times for these files are listed in Coordinated Universal Time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time item in Control Panel.

Windows Server 2003 with Service Pack 1, Itanium-based versions


WORKAROUND
To work around this problem, restart the domain controller.



STATUS
Microsoft has confirmed that this is a problem in the Microsoft products that are listed in the &quot;Applies to&quot; section.



MORE INFORMATION
This hotfix lets the domain controller automatically use a valid domain controller certificate when the previous certificate expires. This process does not require administrative action. Additionally, this process does not interrupt services or applications that depend on the domain controller certificate.

