Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

LDAPS

10 views
Skip to first unread message

Yannick

unread,
Jun 18, 2008, 3:20:03 PM6/18/08
to
Hi,
I'm trying to enable LDAP over SSL (LDAPS) to secure communication between a
web server and a DC. Both server are in the same subnet, but the webserver is
not member of the domain. The DC is the only computer in the Domain. The
purpose of this DC is only to authenticates user accessing web site on the
web server

The DC have Certificate Service installed as enterprise root. Using ldp.exe,
I can connect both on port 389 and 636 from the DC itself.

From the Web server, using ldp.exe I can connect on port 389, but not on
636. Error is :
ld = ldap_open("ldapsvr01", 636);
Error <0x51>: Fail to connect to ldapsvr01.

I compared the config with my corporate domain, where LDAPS works perfectly.
I notice that, from the Trust Root Certification Authorities on the web
server, the Certificate Template type is CA. From my pc on the corporate
domain (who can connect on port 636 using ldp.exe), the type is Root
Certification Authority.

Can someone give me the nail I need to finish building this house?
Thanks.

Sean

unread,
Jun 18, 2008, 9:04:57 PM6/18/08
to

Check out this link for all the LDAPS troubleshooting steps you need
http://support.microsoft.com/kb/938703.

Yannick

unread,
Jun 19, 2008, 12:00:01 PM6/19/08
to
Hi,

Thanks for the answer. I already did troubleshooting steps provided by this
link. When I ran certutil -v -urlfetch -verify s.cer I got followings errors :

=====================================================
---------------- Certificate AIA ----------------
Failed "AIA" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)

ldap:///CN=ldapsvr01,CN=AIA,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?cACertificate?base?objectClass=certificationAuthority

Verified "Certificate (0)" Time: 0
[1.0]
http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01.sgucbrokers.ad_ldapsvr01.crt

---------------- Certificate CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)

ldap:///CN=ldapsvr01,CN=ldapsvr01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?certificateRevocationList?base?objectClass=cRLDistributionPoint

Verified "Base CRL (1)" Time: 0
[1.0] http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01.crl

Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)
[1.0.0]
ldap:///CN=ldapsvr01,CN=ldapsvr01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint

Verified "Delta CRL (1)" Time: 0
[1.0.1] http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01+.crl

---------------- Base CRL CDP ----------------
Failed "CDP" Time: 0
Error retrieving URL: The specified network resource or device is no
longer available. 0x80070037 (WIN32: 55)

ldap:///CN=ldapsvr01,CN=ldapsvr01,CN=CDP,CN=Public%20Key%20Services,CN=Services,CN=Configuration,DC=sgucbrokers,DC=ad?deltaRevocationList?base?objectClass=cRLDistributionPoint

OK "Delta CRL (1)" Time: 0
[1.0] http://ldapsvr01.sgucbrokers.ad/CertEnroll/ldapsvr01+.crl
=====================================================

From this point, I didn't have any idea of how to fix it to get LDAPS
functionnal!

It is probably a very tiny things I missed, but which one? somebody have idea?

Regards,

__________________________________

lennartvandendool

unread,
Dec 22, 2009, 6:47:35 AM12/22/09
to
I have the same problem! Any tips on how to debug from here? Anyone solved this?

Yannic wrote:

Hi,Thanks for the answer.
19-Jun-08

Hi,

Regards,

__________________________________
"Sean" wrote:

Previous Posts In This Thread:

On Wednesday, June 18, 2008 3:20 PM
Yannic wrote:

LDAPS


Hi,
I'm trying to enable LDAP over SSL (LDAPS) to secure communication between a
web server and a DC. Both server are in the same subnet, but the webserver is
not member of the domain. The DC is the only computer in the Domain. The
purpose of this DC is only to authenticates user accessing web site on the
web server

The DC have Certificate Service installed as enterprise root. Using ldp.exe,
I can connect both on port 389 and 636 from the DC itself.

From the Web server, using ldp.exe I can connect on port 389, but not on
636. Error is :
ld = ldap_open("ldapsvr01", 636);
Error <0x51>: Fail to connect to ldapsvr01.

I compared the config with my corporate domain, where LDAPS works perfectly.
I notice that, from the Trust Root Certification Authorities on the web
server, the Certificate Template type is CA. From my pc on the corporate
domain (who can connect on port 636 using ldp.exe), the type is Root
Certification Authority.

Can someone give me the nail I need to finish building this house?
Thanks.

On Wednesday, June 18, 2008 9:35 PM
Sean wrote:

Re: LDAPS
n a
r is
e
xe,
ly.

Check out this link for all the LDAPS troubleshooting steps you need
http://support.microsoft.com/kb/938703.

On Thursday, June 19, 2008 12:00 PM
Yannic wrote:

Hi,Thanks for the answer.
Hi,

Regards,

__________________________________
"Sean" wrote:


Submitted via EggHeadCafe - Software Developer Portal of Choice
Forms Based Authentication Filtered Content Editor for SharePoint
http://www.eggheadcafe.com/tutorials/aspnet/cb4d6067-0cff-479b-af5c-5aeaa4556c43/forms-based-authenticatio.aspx

Lanwench [MVP - Exchange]

unread,
Dec 29, 2009, 11:53:18 AM12/29/09
to
On Tue, 22 Dec 2009 03:47:35 -0800, Lennart van den Dool wrote:

>I have the same problem! Any tips on how to debug from here? Anyone solved this?
>

Hi - you're replying to a year-and-a-half old post which is no longer
on the server. Please don't use Egghead or Techarena or similar to
access the newsgroups - use a newsreader and access
msnews.microsoft.com directly to subscribe to the groups you wish.
Post new questions as new messages and provide full detail of your
problem, errors, and what you've tried to resolve it. This will get
you more help.

>
>
>Yannic wrote:
>
>Hi,Thanks for the answer.
>19-Jun-08
>

<snip>

Ace Fekay [MCT]

unread,
Dec 29, 2009, 9:44:05 PM12/29/09
to
"Lanwench [MVP - Exchange]"
<lanw...@heybuddy.donotsendme.unsolicitedmail.atyahoo.com> wrote in message
news:9tckj5tkiri4efpd5...@4ax.com...

> On Tue, 22 Dec 2009 03:47:35 -0800, Lennart van den Dool wrote:
>
>>I have the same problem! Any tips on how to debug from here? Anyone solved
>>this?
>>
> Hi - you're replying to a year-and-a-half old post which is no longer
> on the server. Please don't use Egghead or Techarena or similar to
> access the newsgroups - use a newsreader and access
> msnews.microsoft.com directly to subscribe to the groups you wish.
> Post new questions as new messages and provide full detail of your
> problem, errors, and what you've tried to resolve it. This will get
> you more help.
>

I don't believe folks using Techarena realize that all we see in the
MIcrosoft newsgroups is just "I have the same problem" with nothing else in
the post.

I also don't belive Techarena folks are aware of that Techarena's posts and
threads are actually *directly* tied into the public Microsoft newsgroups,
where posts are pulled from and the answers in Techarena are posted to.
Sure, Techarena keeps posts that are YEARS old, and folks find them through
searches, and then reply, not realizing all we see is their post and not the
original.

Unfortunate because they are not getting the help they deserve. If only they
post a new thread explaining their issues, and we would be glad to assist.

Ace


0 new messages