Return
-
Title
Authentication module DynamicLDAP fails with error "The server is not operational" when using SSL -
Description
Authentication module DynamicLDAP fails with error "The server is not operational" when using SSL -
Cause
The authentication module uses the class DirectoryEntry from Microsoft's .NET namespace System.DirectoryServices. This includes verifcation of the certificate chain and the hostname. -
Resolution
- A self signed server certificate does not work with DirectoryEntry. You need a valid CA signed server certificate and the CA cert needs to be available in the user's or machine's "Trusted Root Certification Authorities". When opening the certificate, it should display "The certificate is OK" for the whole tree under the tab "Certification Path".
- Client and server need to be able to agree on a cipher suite during handshake. Both the LDAP server and the authenticator (e.g. via Windows GPO) could limit the cipher suites they allow. If client and server do not have any permitted cipher suites in common, the SSL handshake fails.
- The hostname in the connectionstring needs to match one of the hostnames in the certificates subject, cn property. E.g. providing the InitialData "Server=myldap.loc;Port=636;RootDN=dc=myldap,dc=loc;Authentication=SecureSocketsLayer" works but "Server=192.168.40.90;Port=636;RootDN=dc=myldap,dc=loc;Authentication=SecureSocketsLayer" does not.
You can test using the tool LDAPAdmin.exe from http://www.ldapadmin.org/ or ADSIEdit or VINSProviderTest.exe (in LDAPADSI mode with the setting Encryption(SSL)). The tools should not issue any warnings or errors when connecting to the LDAP server.
Please note that Authentication=SecureSocketsLayer is relatively slow. You can however combine AuthenticationTypes (e.g. SecureSocketsLayer and ServerBind) like this:
Server=myldap.loc;Port=636;RootDN=dc=myldap,dc=loc;Authentication=SecureSocketsLayer" works but "Server=192.168.40.90;Port=636;RootDN=dc=myldap,dc=loc;Authentication=ServerBind, SecureSocketsLayer