I was asked to look at an issue with a Print Management Solution being unable to query Active Directory via LDAPS (Secure LDAP). The software runs on a non-domain joined Windows Server 2016 machine, querying a Windows Server 2016 AD Domain Controller.
LDP connections failed with “Cannot open connection“.
ld – ldap_open(“labdc01.x500.co.uk”, 636);
Error <0x51>: Fail to connect to labdc01.x500.co.uk.
From the client (the non-domain joined machine):
- LDAP connections could be established using both IP and FQDN.
- The Enterprise Root CA certificate for the x500.co.uk domain was installed in the Trusted Root Certification Authorities store on the machine.
- Telnet to LABDC01 on port 636 was successful.
When the LDP connection failed, the following was logged on the client.
Event ID: 36884, Schannel:
“The certificate received from the remote server does not contain the expected name. It is therefore not possible to determine whether we are connecting to the correct server. The server name we were expecting is labdc01. The TLS connection request has failed. The attached data contains the server certificate.
Notice the server name mentioned in the above error isn’t the FQDN (i.e. labdc01 instead of labdc01.x500.co.uk).
The IP address of labdc01.x500.co.uk was resolved via a host file entry. The presence of labdc01 as an alias before labdc01.x500.co.uk in the host file caused the client to expect to receive a certificate with CN=labdc01.
Removing LABDC01 as an alias in the host file resolved the issue, as the client expected to receive a certificate with CN=labdc01.x500.co.uk.