If multiple valid certificates are available in the Local Computer store, Schannel may not select the correct certificate. Schannel (the Microsoft SSL provider) selects the first valid certificate that Schannel finds in the Local Computer store. Step 3: Check for multiple SSL certificatesĭetermine whether multiple SSL certificates meet the requirements that are described in step 1. Open the Outputclient.txt file, and then search for errors. On the server, open a Command Prompt window.Īt the command prompt, type the following command to send the command output to a file that is named Outputclient.txt: certutil -v -urlfetch -verify serverssl.cer > outputclient.txt On the client computer, use the Certificates snap-in to export the SSL certificate to a file that is named Clientssl.cer.Ĭopy the Clientssl.cer file to the server. To determine whether the certificate is valid, follow these steps: The certificate chain is valid on the domain controller. To verify that the key is available, use the certutil -verifykeys command. The associated private key is available on the client computer. The enhanced key usage extension includes the Client Authentication object identifier (1.3.6.1.5.5.7.3.2). If such a certificate is available, make sure that the certificate meets the following requirements: In some cases, LDAPS uses a Client Authentication certificate if it is available on the client computer. Step 2: Verify the Client Authentication certificate Open the Output.txt file, and then search for errors. To follow this step, you must have the Certutil command-line tool installed. On the client computer, open a Command Prompt window.Īt the command prompt, type the following command to send the command output to a file that is named Output.txt: certutil -v -urlfetch -verify serverssl.cer > output.txt On the domain controller, use the Certificates snap-in to export the SSL certificate to a file that is named Serverssl.cer.Ĭopy the Serverssl.cer file to the client computer. The certificate chain is valid on the client computer. The associated private key is available on the domain controller. The enhanced key usage extension includes the Server Authentication object identifier (1.3.6.1.5.5.7.3.1). The Subject Alternative Name (SAN) extension in the DNS entry.The common name (CN) in the Subject field.The Active Directory fully qualified domain name of the domain controller appears in one of the following locations: Make sure that the Server Authentication certificate that you use meets the following requirements:
This article discusses steps about how to troubleshoot LDAP over SSL (LDAPS) connection problems.Īpplies to: Windows Server 2003 Original KB number: 938703 Step 1: Verify the Server Authentication certificate
0 kommentar(er)
