Virtual Geek

Tales from real IT system administrators world and non-production environment

ldp.exe LDAPS Cannot open connection Error 81

Part 1: Install and configure certificate authority (CA) on Microsoft Windows server with Group Policy
Part 2: Configuring Secure LDAPs on Domain Controller
                       ldp.exe LDAPS Cannot open connection Error 81
Part 3: Install and Configure Active Directory Federation Service (ADFS)

While setting up a lab for Configuring Secure LDAPs on Domain Controller I faced an error. After deploying SSL on LDAP and testing AD connection using Ldp.exe utility, I was using IP address to connect.

ldp connection menu Connect server ip address vs fqdn Port 636 SSL connectionless vmware vpshere identity federation configuration vcenter 7 ldaps domain controller active directory certificate authority.png

Below is the error log on the screen.

ld = ldap_sslinit("", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to

There was also a popup box with warning message Cannot open connection.

vCenter identity federation ldp cannot open connection ldap over ssl 636 ldap_sslinit ldap_set_option hLdap error 81 server error empty error 0x51 fail to connect.png

To dig deeper I checked Event Viewer >> System Log and found Error Event ID 36869.

The TLS server credential's certificate does not have a private key information property attached to it. This most often occurs when a certificate is backed up incorrectly and then later restored. This message can also indicate a certificate enrollment failure.

The TLS server credential's certificate does not have a private key information property attached to it LDAPs over ssl active directory domain controller vsphere 7 vcenter configuration.png

To troubleshoot further I checked SSL certificate deployed for LDAP on Domain Controller. On the personal (my) computer account go and check properties of LDAPS certificate. I checked Issued to, Subject CN and Certification Path. There was no IP mentioned. I used FQDN to connect on ldp.exe.

ldap over SSL certificate issued to subject name CN certification path public key parameter certificate template name valid vmware vsphere 7 identity federation certificate authority.png

After using FQDN (fully qualified domain name), LDAP connection over SSL to domain controller established successfully.

vmware vcenter vsphere 7 ldaps active directory error 81  ldap_sslinit ldap_connect cipher active directory certification services connection failed port 636 ldap over ssl.png

If you want to make sure LDAPs connection is using only your assigned SSL certificate, You can remove/delete unused and unwanted certificates from LocalMachine Personal (my) store on Domain Controller. Use below command to verify certificate

certutil -VerifyStore MY

vmware vsphere esxi vcenter 7 certificates personal certificates serial number certutil varifystory my ldap over ssl ldaps configuration ad cs configuration connection failed.png

If you have renewed certificate on the server make sure you update the same information on the Domain Controller with below procedure. Save below information to text file.

changetype: modify
add: renewServerCertificate
renewServerCertificate: 1

And execute command.

ldifde -i -f c:\cert\enable_ldap.txt

ldifde enable ldap changetype modify renewservercertificate certification authority active directory domain controller ldap over ssl ldaps vmware vsphere vcenter 7 federation services identity.png

Useful Articles
Generate new self-signed certificates for ESXi using OpenSSL
Push SSL certificates to client computers using Group Policy
Replacing a default ESXi certificate with a CA-Signed certificate
Troubleshooting replacing a corrupted certificate on Esxi server
How to import default vCenter server appliance VMCA root certificate and refresh CA certificate on ESXi
How to replace default vCenter VMCA certificate with Microsoft CA signed certificate

Go Back


Blog Search

Page Views


Follow me on Blogarama