Part 1: Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy
Part 2: Configuring Secure LDAPs on Domain Controller
ldp.exe LDAPS Cannot open connection Error 81
Part 3: Install and Configure Active Directory Federation Service (ADFS)
While setting up a lab for Configuring Secure LDAPs on Domain Controller I faced an error. After deploying SSL on LDAP and testing AD connection using Ldp.exe utility, I was using IP address to connect.
Below is the error log on the screen.
ld = ldap_sslinit("192.168.34.11", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 192.168.34.11.
There was also a popup box with warning message Cannot open connection.
To dig deeper I checked Event Viewer >> System Log and found Error Event ID 36869.
The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.
To troubleshoot further I checked SSL certificate deployed for LDAP on Domain Controller. On the personal (my) computer account go and check properties of LDAPS certificate. I checked Issued to, Subject CN and Certification Path. There was no IP mentioned. I used FQDN to connect on ldp.exe.
After using FQDN (fully qualified domain name), LDAP connection over SSL to domain controller established successfully.
If you want to make sure LDAPs connection is using only your assigned SSL certificate, You can remove/delete unused and unwanted certificates from LocalMachine Personal (my) store on Domain Controller. Use below command to verify certificate
certutil -VerifyStore MY
If you have renewed certificate on the server make sure you update the same information on the Domain Controller with below procedure. Save below information to text file.
dn:
changetype: modify
add: renewServerCertificate
renewServerCertificate: 1
-
And execute command.
ldifde -i -f c:\cert\enable_ldap.txt
Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate