I have 3 Domain Controllers with Active Directory role installed on them. I installed Certificate Services on one of the Domain Controllers. I am able to LDAPS to it, but not the others even though the cert shows in the trusted stores of the other two domain controllers.
When trying to connect with ldp.exe, I get this error message:
…
…
Error 81 = ldap_connect(hLdap, NULL);
Server error:
Error <0x51>: Fail to connect to
I have tried manually importing the cert, restarting certificate services, and so many other things that I lost track. Any idea what might be going on? Thanks!
Best Answer
Active Directory domain controllers will only have a working LDAPS listener on 636 if they have their own certificate and private key in the computer certificate store that has the Server Authentication usage set on it.
The certificate authority has this already by virtue of being a certificate authority (the root certificate of the CA fills the requirement, since it's valid for all usage types) but for the others servers, simply trusting the root cert doesn't get them what's needed.
To resolve this, you should do two things:
certsrv.mscfor the CA, under Certificate Templates, enable the CA to issue the Kerberos Authentication template ("new certificate template to issue").certtmpl.msc, pull up the properties of the Kerberos Authentication template. On the security tab, enable "Enroll" and "Autoenroll" for theDomain Controllersgroup.Running
certutil -pulseon the other domain controllers should prompt them to enroll for one of these certificates, and LDAPS should begin functioning on those systems.