I've a customer whose Linux server fails to connect to a remote AD server on port 636 and it appears to be due to the fact that it does not have a client certificate. Both the remote AD server and the Linux server have certificates issued by the same CA.
When reviewing the connection attempts in Wireshark the Linux server sends a certificate length 0 response to the AD server hello requesting the client certificate. The AD server responds with a change cipher spec encrypted handshake message to which the Linux server responds with a FIN, ACK to which the AD server responds with an ACK and then a RST, ACk which appears to half close the connection.
When testing using Apache Directory Studio, In Wireshark I see the same client certificate request in the Server Hello from the AD server and a certificate length 0 in the client response from Apache Directory Studio but the connection succeeds after a change cipher spec encrypted handshake message from the remote AD server and Apache Directory Studio.
I'm trying to test the issue and I'm wondering if AD can be configured to require a client certificate for authentication or not and where this would be configured or is this request sent automatically by AD?
Best Answer
The cause of the issue was the fact that our application was not RFC 3280 compliant and the Domain Controller authentication certificate template was.
More information on this can be found at https://blogs.technet.microsoft.com/askds/2008/09/16/third-party-application-fails-using-ldap-over-ssl/