Enabling LDAPS: Cannot get to open port 636

active-directory ssl ldap port domain-controller

28,845

The problem was that I used the IP address when trying to connect, while the certificate was issued for a DNS name. Now it works.

28,845

Jonas Hoffmann

Updated on September 18, 2022

Comments

Jonas Hoffmann over 1 year
I have a domain controller, which has Active Directory (AD). I want to turn on LDAPS on this AD, so that I could access the AD via secure connection. I have followed the following guide: http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

I have done everything in "Publishing a Certificate that Supports Server Authentication" and "Exporting the LDAPS Certificate and Importing for use with AD DS". When I try to netstat, I can see that port 636 is open, but its IP address is 0.0.0.0, which supposedly means that it cannot be accessed from outside. The plain LDAP does work and I can both connect to it and see it in netstat as open both for 0.0.0.0 and my domain controller's IP address, but I cannot access the domain controller via LDAPS.

What is the problem? Have I missed some step in this guide? What do I need to do extra? I have tested LDAP and LDAPS connection with Active Directory Administration Tool.

This is the output I get from LDP.EXE:
```
ld = ldap_sslinit("10.165.0.10", 636, 1);
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to 10.165.0.10.
```
- dawud about 9 years
  
  0.0.0.0 means all interfaces, can you telnet port 636?
- Jonas Hoffmann about 9 years
  
  @dawud yes, I can.
- dawud about 9 years
  
  Have you tried manually connecting to the AD LDAPS endpoint and retrieving the certificates? (by means of a command line client) have you triend binding locally and remotely? From what you say, the service is listening in all interfaces and you should be able to use it.
- Jonas Hoffmann about 9 years
  
  @dawud Well, I used AD Administration Tool to connect to my AD both via LDAP and LDAPS. Do you mean something else? If yes, please provide information on how to do that or where to find more information. What do you mean by saying to bind locally and remotely? I did try to connect to AD from another computer.
- Jonas Hoffmann about 9 years
  
  I have updated my original post with extra information. I also tried to connect to LDAPS from the domain controller itself, but it is the same error.
- Jonas Hoffmann about 9 years
  
  Nevermind, I did find what the problem was. Read my answer.