Log Report
Template Windows Event Log
Log Name System
Type Warning
Source Schannel
Event ID 36872
Average Threat Rating
Encounters More Info Related Content Alert Me Discuss
Add Your Encounter Hide Encounters without Resolutions
joverland
Posts: 41

5/13/2011
Revision 6
Threat Rating:

Contains Resolution:
We configured our 2003 Domain Controllers for Secure LDAP over SSL using an Enterprise CA and publishing the Kerberos Authentication template. The Domain Controllers successfully auto enrolled with the Kerberos Certificates, but LDAPS still did not work.  This is the only error we could find in the Event Logs to go on.  

This Microsoft KB gives some information on the event, but doesn't provide any help in diagnosing the source of the event: http://support.microsoft.com/kb/261196

Attempts to connect to the DC over LDAPS with LDP.exe result in the following:

ld = ldap_sslinit("my.fqdn.com", 636, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to my.fqdn.com.

Microsoft Premier Support confirmed this to be a bug in the way Windows 2008 SP1 CA Servers issue Certificates for the Kerberos Authentication template. The fix is to apply SP2 to the Certificated Servers or upgrade the Certificate Servers to Windows 2008 R2. We elected to upgrade to Windows 2008 R2 which did resolve the issue.



Peer Reviews (0)

No reviews have been post for this Encounter

Post a Peer Review: