Hi there,

We've upgraded our DCs from 2008 R2 to 2012 R2.

After moving the Enterprise CA from 2008 R2 to 2012 R2 domain controller (same IP, same hostname) according to this guide: http://technet.microsoft.com/en-us/library/ee126170(v=ws.10).aspx everything seemed to work.

However, some 3rd party (linux) machines that depended on LDAPs connections stopped working:

Log from the Linux server looked like this:

ict_ldap_connect: Unable to bind to server ldaps://*.*.*.* with dn user@domain: -1 (Can't contact LDAP server)

and in the DC system log, hundreds of EventID 36874 and 36888 started appearing:

36888

A fatal alert was generated and sent to the remote endpoint. This may result in termination of the connection. The TLS protocol defined fatal error code is 40. The Windows SChannel error state is 1205.

36874

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

What I've checked as suggested on blogs and forums:

CA is trusted, certs check out, CRL is available

DC certs are valid, trusted, any possible certutil check passed...

port 636 is not firewalled, lsass is listening on the port

Here comes the strange part:

testing with LDP.exe failed from any domain joined machine, even the from the DC to localhost, however LDP could successfully connect to 636/SSL from old Win 7 not joined to the domain.

So we decided to test it from a Linux machine not joined to the domain and eventually found out, that if we try to connect to ldaps over port 636 using TLS 1.2, it fails no matter what (and 36874/36888 EventIDs appear in the eventlog on the DC)

But when we forced the use of TLS 1.1 (or 1.0), everything ran smoothly, DC responded, LDAP queries were succesfull...

So as a workaround I turned off TLS 1.2 in registry and everything seems to work.

My first idea was that there's something wrong with TLS 1.2 on Win Server 2012 R2, but when trying to recreate the behaviour in the LAB, 2012R2 was working flawlessly, LDP.exe could connect over 636 etc...

So anyone can shed some light on the issue ?

Thanks

• Moved by AwinishMVP Thursday, January 09, 2014 1:32 AM

If it helps, here's the error from LDP.exe:

ld = ldap_sslinit("dc.domain", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to dc.domain.

Hi,

Thank you for your question.  

I am trying to involve someone familiar with this topic to further look at this issue. There might be some time delay. Appreciate your patience.

Thank you for your understanding and support.

TechNet Subscriber Support

If you are TechNet Subscription user and have any feedback on our support quality, please send your feedback here.

Hi,

thanks for the response.

As said the workaround well, works for now, so no hurry :)

Peter

Hi,

The only cause i can imagine is that if there are some GP setting related to TLS applied to the 2012 DCs, so please run GPresult to check it. and see following post.

http://social.technet.microsoft.com/Forums/windowsserver/en-US/088b5fdb-914f-4217-bb8a-44e939516df2/suite-b-and-secure-ldap?forum=winserversecurity

http://blogs.msdn.com/b/kaushal/archive/2011/10/02/support-for-ssl-tls-protocols-on-windows.aspx