LDAPS to AD DC Fails

Issue

I was asked to look at an issue with a Print Management Solution being unable to query Active Directory via LDAPS (Secure LDAP).  The software runs on a non-domain joined Windows Server 2016 machine, querying a Windows Server 2016 AD Domain Controller.

LDP connections failed with “Cannot open connection“.

LDAPS1

ld – ldap_open(“labdc01.x500.co.uk”, 636);

Error <0x51>: Fail to connect to labdc01.x500.co.uk.

LDAPS2

Troubleshooting

From the client (the non-domain joined machine):

  • LDAP connections could be established using both IP and FQDN.
  • The Enterprise Root CA certificate for the x500.co.uk domain was installed in the Trusted Root Certification Authorities store on the machine.
  • Telnet to LABDC01 on port 636 was successful.

When the LDP connection failed, the following was logged on the client.

Event ID: 36884, Schannel:

“The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is labdc01. The TLS connection request has failed. The attached data contains the server certificate.

LDAPS3

Cause

Notice the server name mentioned in the above error isn’t the FQDN (i.e. labdc01 instead of labdc01.x500.co.uk).

The IP address of labdc01.x500.co.uk was resolved via a host file entry.  The presence of labdc01 as an alias before labdc01.x500.co.uk in the host file caused the client to expect to receive a certificate with CN=labdc01.

LDAPS4

Removing LABDC01 as an alias in the host file resolved the issue, as the client expected to receive a certificate with CN=labdc01.x500.co.uk.

LDAPS5

 

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s