Lenovo Software Helpdesk

            How can I check if my Microsoft Active Directory Domain controller / LDAP Server has SSL ?

            The following URL has a nice write up about the Microsoft Tool called LDP.exe
            http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm

            You can download ldp.zip directly from here : http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip

            or copy from your Windows 2000 / 2003 Support Tools CD.

            Microsoft says :
            Verifying an LDAPS connection
            After a certificate is installed, follow these steps to verify that LDAPS is enabled:

            1. Start the Active Directory Administration Tool (Ldp.exe).
            2. On the Connection menu, click Connect.
            3. Type the name of the domain controller to which you want to connect.
            a. You must use a proper DNS name for the SSL test to work.
            4. Type 636 as the port number and check the SSL box
            5. Click OK.

            RootDSE information should print in the right pane, indicating a successful connection.


            If you get an error saying, "Cannot open connection," LDP cannot establish a secure connection to the directory server. In this case, it's very likely that the server is not configured properly for LDAP over SSL. Verify the server name/IP address and port number. You can also use the Portqry tool to verify that the directory server is listening on the correct port.

            The following LDP output (for server name dc01) indicates that the connection failed because the certificate used in the SSL connection cannot be trusted:
            ld = ldap_sslinit("dc01", 636, 1);
            Error <0x0> = ldap_set_option(hLdap,LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
            Error <0x51> = ldap_connect(hLdap, NULL);
            Server error: {empty}
            Error <0x51>: Fail to connect to dc01.

            You can test connecting non ssl communication by unchecking the SSL box and changing the port to 389

            The same ldp.exe program can also be used to test the connection to the Global Catalog.
            Follow the same steps as before, but change the ports.
            The Non SSL port for the global catalog is 3268
            The SSL port for the global catalog is 3269

            Another tool that is good for checking the SSL cert can be downloaded from here : http://swdl.stone-ware.com/support/techdocs/kb/s1189/ViewDirCert.zip

            Updated: 05 Aug 2014 07:42 AM
            Helpful?  
            Help us to make this article better
            0 0