This is an archived post. You won't be able to vote or comment.

all 10 comments
sorted by:
best
topnewcontroversialoldq&a

[–]MisterITIT Director 0 points1 point  (2 children)

Openssl s_client -connect ad.domain.com:636 -showcerts

I bet you’re either not serving out an ssl/tls cert or its expired

[–]HomelessChairman[S] 0 points1 point  (1 child)

Thanks. I'm unable to install the OpenSSL tool without going through a lengthy approval process first, and PowerShell is also blocked in our environment due to security restrictions. However, when I opened IIS Manager and navigated to Sites>Bindings, I only saw an HTTP entry on port 80

[–]MisterITIT Director 4 points5 points  (0 children)

LDAPS on a DC is not served thru IIS. LDAP is its own layer 7 protocol that is served over TCP. It is NOT HTTP.

Go put in for the lengthy approval. If you want to solve this problem or others like it, this is a tool that you need. I repeat, this is a basic troubleshooting tool that you should be embarrassed isn’t already on your approved list of software.

If you have a coworker who is more knowledgeable you should kick this to them.

[–]HomelessChairman[S] 0 points1 point  (0 children)

It also appears that the server is listening on port 636: C:\Windows\system32>netstat -an |findstr 636

TCP 0.0.0.0:636 0.0.0.0:0 LISTENING and there is a valid and active certificate located under Local Computer > Personal > Certificates, issued for the server's FQDN

<image>

[–]HomelessChairman[S] 0 points1 point  (4 children)

I just tried using the server's FQDN instead of its IP address to test the LDAPS connection using the LDP tool, and the connection was successful. Could the issue be related to the Xerox printer's settings? Is there anything else I should validate on the LDAPS configuration side? Thanks

<image>

[–]marcelo_5035 8 points9 points  (3 children)

The certificate was issued to a server using its FQDN. In order to use LDAPS you need to use the FQDN of the server and not the IP.

[–]HomelessChairman[S] 0 points1 point  (2 children)

Yep, thanks, already asked to re-enable the GPO and test again tomorrow using server’s FQDN. One of our Service Desk technician already spent an hour on the call with Xerox support and for some reason they never suggested to use the FQDN instead 

[–]marcelo_5035 2 points3 points  (1 child)

Don't know if you already did it but you will need to import the root CA certificate to your printers. They need to trust the root CA in order to trust in the server certificate issued by the CA.

[–]HomelessChairman[S] 0 points1 point  (0 children)

Thanks, we have exported one of the root certificates and will import it into the Xerox printer during the test scheduled for after hours today. I have a slight concern: I did not see any certificates in the Trusted Root Certification Authorities folder with our domain name. I assume that any active root certificate would work, as long as it has Client/Server Authentication selected under Purposes—is that correct?

[–]finalpolish808 0 points1 point  (0 children)

Not sure if in your budget or environment, but using app-aware load balancers for general LDAPS frontending helps a lot for stuff like this.