Trying to get LDAP to work on Windows Server 2019 with internal CA certificate or with comodo certificate

  ldap, server, windows

I have spent many months on this issue, but recently on a new Windows Server 2019, I have the same issue:

I would think that the internal Windows 2019 certificates would be fine for LDAPS, not sure if it is a matter of trust, or a configuration issue. I have looked at many documents on the internet, but none seem to help me get beyon this LDAPS issue. My goal is to use a Windows 2019 ldaps certificate so other applications can authenticate and retrieve ldap data.

I have installed Windows Server 2019 and I installed the Certification Authority and I see port 389 and 636 in a listen mode, but when I attempt to use port 636 I have errors. Port 389 is fine. When I use the openssl connect command on port 443 I have no errors.

What I have tried.

  1. I have spent hours searching for solution that work in www.google.com. This has not worked.

  2. I have used a JXplorer ldap browser i can login to port 389 and see active directory objects fine, but when I use port 636 it fails immediately with the error "Error opening connection: LDAP connection has been closed". The details on the error are: javax.naming.NamingException: LDAP connect has been closed".

  3. When I do this command, I get a response as shown below that :

    openssl s_client -connect FicticiousServerName.com:636 -showcerts

CONNECTED(00000003)
depth=0 CN = LAB.FicticiousServerName.com
verify error:num=20:unable to get local issuer certificate
verify return:1
depth=0 CN = LAB.FicticiousServerName.com
verify error:num=21:unable to verify the first certificate
verify return:1

Certificate chain
0 s:/CN=LAB.FicticiousServerName.com
i:/DC=com/DC=FicticiousServerName/CN=FicticiousServerName.com

  1. Use Windows 2019 ldp.exe to test ldap and port 636, IT LOOKS FINE…. :

    ld = ldap_sslinit("FicticiousServerName.com", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 0 = ldap_connect(hLdap, NULL);
    Error 0 = ldap_get_option(hLdap,LDAP_OPT_SSL,(void*)&lv);
    Host supports SSL, SSL cipher strength = 256 bits
    Established connection to FicticiousServerName.com.
    Retrieving base DSA information…
    Getting 1 entries:
    Dn: (RootDSE)
    configurationNamingContext: CN=Configuration,DC=FicticiousServerName,DC=com;
    currentTime: 5/4/2021 6:02:07 PM Mountain Daylight Time;
    defaultNamingContext: DC=FicticiousServerName,DC=com;
    dnsHostName: LAB.FicticiousServerName.com;
    domainControllerFunctionality: 7 = ( WIN2016 );
    domainFunctionality: 7 = ( WIN2016 );
    dsServiceName: CN=NTDS Settings,CN=LAB,CN=Servers,CN=Default-First-Site-
    Name,CN=Sites,CN=Configuration,DC=FicticiousServerName,DC=com;
    forestFunctionality: 7 = ( WIN2016 );
    highestCommittedUSN: 16717;
    isGlobalCatalogReady: TRUE;
    isSynchronized: TRUE;
    ldapServiceName: FicticiousServerName.com:[email protected];
    namingContexts (5): DC=FicticiousServerName,DC=com;
    CN=Configuration,DC=FicticiousServerName,DC=com;
    CN=Schema,CN=Configuration,DC=FicticiousServerName,DC=com;
    DC=DomainDnsZones,DC=FicticiousServerName,DC=com;
    DC=ForestDnsZones,DC=FicticiousServerName,DC=com;
    rootDomainNamingContext: DC=FicticiousServerName,DC=com;
    schemaNamingContext: CN=Schema,CN=Configuration,DC=FicticiousServerName,DC=com;
    serverName: CN=LAB,CN=Servers,CN=Default-First-Site-
    Name,CN=Sites,CN=Configuration,DC=FicticiousServerName,DC=com;
    subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=FicticiousServerName,DC=com;
    supportedCapabilities (6): 1.2.840.113556.1.4.800 = ( ACTIVE_DIRECTORY );
    1.2.840.113556.1.4.1670 = ( ACTIVE_DIRECTORY_V51 ); 1.2.840.113556.1.4.1791 = (
    ACTIVE_DIRECTORY_LDAP_INTEG ); 1.2.840.113556.1.4.1935 = ( ACTIVE_DIRECTORY_V61 );
    1.2.840.113556.1.4.2080 = ( ACTIVE_DIRECTORY_V61_R2 ); 1.2.840.113556.1.4.2237 = (
    ACTIVE_DIRECTORY_W8 );
    supportedControl (40): 1.2.840.113556.1.4.319 = ( PAGED_RESULT ); 1.2.840.113556.1.4.801 = (
    SD_FLAGS ); 1.2.840.113556.1.4.473 = ( SORT ); 1.2.840.113556.1.4.528 = ( NOTIFICATION );
    1.2.840.113556.1.4.417 = ( SHOW_DELETED ); 1.2.840.113556.1.4.619 = ( LAZY_COMMIT );


Source: Windows Questions

LEAVE A COMMENT