Forum Discussion
LDAP SSL with Third-Party Certificate schannel event Id 36887 fatal alert 46
Ok folks,
There was a setting on Mimecast called Encryption Mode allowing Relaxed OR Strict.
Their notes state:
If the "Encrypt Connection" option is checked, specify one of the following encryption modes: Encryption Mode Description Strict - Trust Enforced This mode requires a certificate issued by a Mimecast trusted public root certification authority, and a key length greater than 1024 bits to be installed on your domain controller. Relaxed This mode must be used if your certificate is self-signed, has a key length of less than 1024 bits, or has an incomplete trust chain.
Not sure why it was required as Strict should have worked, but we are up and going now.
Greg
I decided to use Network Monitor to look at things... not that I would fully follow it. Here are some images from this:
First image is a Successful test connection from External Mimecast to internal DC with no SSL, just standard LDAP:
Second image is successful test connection using LDP on internal server to DC using SSL LDAP:
Last image is the failed test connection from external Mimecast to internal DC using LDAP and SSL:
What I ultimately see is after the initial handshake it leads to a TLS Rec Layer-1 Encryption Alert. But not sure what that really means and how to fix it.
Greg
Ok folks,
There was a setting on Mimecast called Encryption Mode allowing Relaxed OR Strict.
Their notes state:
If the "Encrypt Connection" option is checked, specify one of the following encryption modes: Encryption Mode Description Strict - Trust Enforced This mode requires a certificate issued by a Mimecast trusted public root certification authority, and a key length greater than 1024 bits to be installed on your domain controller. Relaxed This mode must be used if your certificate is self-signed, has a key length of less than 1024 bits, or has an incomplete trust chain.
Not sure why it was required as Strict should have worked, but we are up and going now.
Greg