Discussion:
Active directory, LDAP and certificate
(too old to reply)
Rohart
2004-04-20 08:01:43 UTC
Permalink
Hi all,

I need to establish a secure LDAP connection using
certificates between 2 Windows 2003 machines (port 636,
using SSL). The "server" is an Active Directory Controller
and the "client" is outside the Active Directory.

The connection works fine without SSL (port 389) between
both machines, works fine locally on the "server" using
SSL, works fine between windows 2003 server and a windows
2000 client, works fine when both W2003 machines are in
the domain BUT I keep on getting this error when I try
between the 2 W2003 machines with my particular
configuration :

The certificate received from the remote server has not
validated correctly. The error code is 0x80096004. The SSL
connection request has failed.

It seems that Windows 2003 performs more checks than
Windows 2000 concerning certificates and it causes
problems when they are not in the same domain.

Any ideas of what's going on ?

Any help would be appreciated.

Stéphane
Dmitri Gavrilov [MSFT]
2004-04-20 09:58:37 UTC
Permalink
There's something wrong with the server cert, or the client does not trust
it.
You are getting TRUST_E_CERT_SIGNATURE "The signature of the certificate can
not be verified."
--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

"Rohart" <***@discussions.microsoft.com> wrote in message news:16bf01c426ad$b80c2d60$***@phx.gbl...
Hi all,

I need to establish a secure LDAP connection using
certificates between 2 Windows 2003 machines (port 636,
using SSL). The "server" is an Active Directory Controller
and the "client" is outside the Active Directory.

The connection works fine without SSL (port 389) between
both machines, works fine locally on the "server" using
SSL, works fine between windows 2003 server and a windows
2000 client, works fine when both W2003 machines are in
the domain BUT I keep on getting this error when I try
between the 2 W2003 machines with my particular
configuration :

The certificate received from the remote server has not
validated correctly. The error code is 0x80096004. The SSL
connection request has failed.

It seems that Windows 2003 performs more checks than
Windows 2000 concerning certificates and it causes
problems when they are not in the same domain.

Any ideas of what's going on ?

Any help would be appreciated.

Stéphane
a***@discussions.microsoft.com
2004-04-20 10:32:29 UTC
Permalink
There may be something wrong with the certicate but a
windows 2000 client says it's fine so I wonder.
I've already reinstalled the whole thing to get new
certificates but it doesn't change anything.
-----Message d'origine-----
There's something wrong with the server cert, or the
client does not trust
it.
You are getting TRUST_E_CERT_SIGNATURE "The signature of
the certificate can
not be verified."
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and
confers no rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm
Hi all,
I need to establish a secure LDAP connection using
certificates between 2 Windows 2003 machines (port 636,
using SSL). The "server" is an Active Directory Controller
and the "client" is outside the Active Directory.
The connection works fine without SSL (port 389) between
both machines, works fine locally on the "server" using
SSL, works fine between windows 2003 server and a windows
2000 client, works fine when both W2003 machines are in
the domain BUT I keep on getting this error when I try
between the 2 W2003 machines with my particular
The certificate received from the remote server has not
validated correctly. The error code is 0x80096004. The SSL
connection request has failed.
It seems that Windows 2003 performs more checks than
Windows 2000 concerning certificates and it causes
problems when they are not in the same domain.
Any ideas of what's going on ?
Any help would be appreciated.
Stéphane
.
Dmitri Gavrilov [MSFT]
2004-04-20 17:51:46 UTC
Permalink
Can you view the server cert on the exact same client that is attempting to
bind? Do you have the CA that issued the cert in the trusted roots store on
the client?
--
Dmitri Gavrilov
SDE, Active Directory Core

This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm

<***@discussions.microsoft.com> wrote in message news:185601c426c2$c84061f0$***@phx.gbl...
There may be something wrong with the certicate but a
windows 2000 client says it's fine so I wonder.
I've already reinstalled the whole thing to get new
certificates but it doesn't change anything.
-----Message d'origine-----
There's something wrong with the server cert, or the
client does not trust
it.
You are getting TRUST_E_CERT_SIGNATURE "The signature of
the certificate can
not be verified."
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and
confers no rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm
Hi all,
I need to establish a secure LDAP connection using
certificates between 2 Windows 2003 machines (port 636,
using SSL). The "server" is an Active Directory Controller
and the "client" is outside the Active Directory.
The connection works fine without SSL (port 389) between
both machines, works fine locally on the "server" using
SSL, works fine between windows 2003 server and a windows
2000 client, works fine when both W2003 machines are in
the domain BUT I keep on getting this error when I try
between the 2 W2003 machines with my particular
The certificate received from the remote server has not
validated correctly. The error code is 0x80096004. The SSL
connection request has failed.
It seems that Windows 2003 performs more checks than
Windows 2000 concerning certificates and it causes
problems when they are not in the same domain.
Any ideas of what's going on ?
Any help would be appreciated.
Stéphane
.
Jason Robarts [MSFT]
2004-04-20 22:24:01 UTC
Permalink
Dmitry is the authority. I'll add you may be able to find information that
would help in the SCHANNEL eventlog messages on the client.

Jason
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Use of included script samples are subject to the terms specified at
http://www.microsoft.com/info/cpyright.htm


<***@discussions.microsoft.com> wrote in message news:185601c426c2$c84061f0$***@phx.gbl...
There may be something wrong with the certicate but a
windows 2000 client says it's fine so I wonder.
I've already reinstalled the whole thing to get new
certificates but it doesn't change anything.
-----Message d'origine-----
There's something wrong with the server cert, or the
client does not trust
it.
You are getting TRUST_E_CERT_SIGNATURE "The signature of
the certificate can
not be verified."
--
Dmitri Gavrilov
SDE, Active Directory Core
This posting is provided "AS IS" with no warranties, and
confers no rights.
Use of included script samples are subject to the terms
specified at
http://www.microsoft.com/info/cpyright.htm
Hi all,
I need to establish a secure LDAP connection using
certificates between 2 Windows 2003 machines (port 636,
using SSL). The "server" is an Active Directory Controller
and the "client" is outside the Active Directory.
The connection works fine without SSL (port 389) between
both machines, works fine locally on the "server" using
SSL, works fine between windows 2003 server and a windows
2000 client, works fine when both W2003 machines are in
the domain BUT I keep on getting this error when I try
between the 2 W2003 machines with my particular
The certificate received from the remote server has not
validated correctly. The error code is 0x80096004. The SSL
connection request has failed.
It seems that Windows 2003 performs more checks than
Windows 2000 concerning certificates and it causes
problems when they are not in the same domain.
Any ideas of what's going on ?
Any help would be appreciated.
Stéphane
.
Loading...