schannel errors when attempting to setup LDAP

[Douglas Green]

I updated my root CA to 2048 (from 1024) and followed the SSL procedures to use OpenSSL to convert from PKCS12 to PEM. I uploaded the new root certificate. to the GSA. I noticed an LDAP error stating port 636 was closed. I verified on the DC that 636 was active and listening. I attempted to setup the LDAP via 636 but it continues to state the port is closed. On the Windows 2008 Server the DC event logs state a schannel error "The SSL server credentials certificate does not have a private key information properly attached to it." This is a self signed root CA and the CA is on a Windows 2008 Domain controller

We recently patched the critical updates for 2008. Prior SSL1-3 were permitted and I had no issues with LDAP. Now TLS is required and the GSA acts as if the socket to 636 is closed.

It appears that I am not exporting the certificate correctly. Here is what I have: Windows 2008 R2 Domain Controller with CA role installed. I have two Root certificates name after the domain name. They are the trusted root folder. 

I have exported as a  PKCS12 with a pass phrase and I have exported as a x509.cer

I followed the help file instruction to use openssl to convert the formatting of the certificate.

openssl pkcs12 -in test1.pfx -out test1.pem

I then installed the test1,pem as the certificate and I used the same file for the passphrase.

Certificate loads fine LDAP still will not establish a connection with 636 and repeats the same schannel error as above.

Any help would be appreciated.

-Doug

[Mathias Bierl]

Could you establish an LDAPS connection with a desktop LDAP client ?

The error message looks more like the certificate is not properly installed on the LDAP server not the GSA.

[Douglas Green]

Yes I can open ldp.exe and connect to the ldap server via port 636 and the ssl box is checked from another windows server.

- Doug

[Douglas Green]

Found the answer:

Two Parts

1. The instructions for the GSA state a x509 format is needed for the certificate. I used openssl to save as a decrypted .pem format. I used the same .pem file for the certificate and the passphrase file.

2. The account used to login to LDAP I was using the following formats given in the instructions from the onboard help (DOMAIN\username or username@domain) I ended up using the DN i.e. CN=username,OU=USERS,DN=DOMAIN NAME 

Thank you Mathias for your assistance!!

[Douglas Green]

I should have stated this as this would be helpful to other Windows Admins. I am working with a Windows 2008 R2 domain. My DC is my root CA and I am using the Microsoft self sign root not a third party CA.