find the client responsible for the schannel ldap error

active-directory schannel
10,186

Solution 1

Built-in you can't find easily the source of the message.

You need tcpdump, microsoft network monitor or wireshark to find the machine causing the error. (many thread told the same, there, there or there (See in the comment the answer to George about tcpdump))

Solution 2

If you are able to capture the traffic flowing to DC for analysis then you can use Wireshark's packet search to find certificates being presented.

This wireshark filter looks for certificate exchange and filters out anything issued by "LDAP SSL test", this would allow you to find certs not issued by your domain.

(ssl.handshake.type == 11) && !(x509sat.uTF8String == "LDAP SSL test")

I don't have an AD example to work on so that is using a standard LDAP over TLS pcap from the wireshark samples page.

Share:
10,186

Related videos on Youtube

natxo asenjo
Author by

natxo asenjo

Updated on September 18, 2022

Comments

  • natxo asenjo
    natxo asenjo almost 2 years

    somewhere in our network an ldap client is querying our AD servers without the proper CA information. This provokes the (in my view useless) system critical (source: schannel) event id 36887 on the domain controllers' event log:

    The following fatal alert was received: 46.

    How can I locate the misconfigured client?

    • Admin
      Admin almost 8 years
      Does this error keeps happening? Or it just happened once?
    • Admin
      Admin almost 8 years
      it keeps happening to the ldap servers in the default first site, so the client is contained to those ip ranges.
  • natxo asenjo
    natxo asenjo almost 8 years
    I tend to agree, and it sucks ;-) (not your comment, the situation). Another solution would be to turn off schannel loggging altogether, but that may have unexpected effects.
  • natxo asenjo
    natxo asenjo almost 8 years
    that was a nice suggestion, but the webserver role is not installed in these domain controllers (2008r2).
  • natxo asenjo
    natxo asenjo almost 8 years
    thanks for the script. Our infrastructure is a mix of windows and linux clients, so this would only cover a part of it. Nice idea, though.

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

What are the other alternative to test a LDAP connection on linux machine
Make sssd respect Acctive Directory nested groups
Joining an Active Directory domain using netdom
How to get UPN for authenticated user in .NET web application, without querying Active Directory
How do I configure a SQL Server datasource in JBoss to connect using a specific Active Directory user?
How to import a groups members using 'ldifde'?
Apache Kerberos Authentication - Client didn't delegate us their credential
Powershell: How do you set the Read/Write Service Principal Name AD Permissions?
C# / ASP.NET / AD - "The specified directory service attribute or value does not exist."
C# PrincipalSearcher, returning AD groups for specific OU