a.) You could change you application to be in compliance with RFC 3280 (see excerpts from RFC 3280 below)
b.) You could configure the domain controller to use a certificate based on the version 1 Domain Controller template.
c.) In the Domain Controller authentication certificate template, you can change the subject field from “none” to “common”. You can then issue a new Domain Controller Authentication certificate to the Domain Controller. In this certificate, the subject field contains the DNS name of the machine and the SAN field is not marked critical on the domain controller authentication certificate. Then delete the old “Domain Controller Authentication” certificate. Finally, reboot the machine.
Why reboot? As a general rule, if a Domain Controller already has a certificate for LDAP over SSL, it will not pick up the new one until the next reboot.
End result: The 3rd party application can successfully connect to this Domain Controller.
So why did this whole problem occur?
This change to have a “blank Subject field and a Critical SAN field” was made to conform to RFC 3280 (Internet X.509 Public Key Infrastructure April 2002). Here’s an excerpt from that RFC on why the change was made:
RFC 3280 Internet X.509 Public Key Infrastructure
18.104.22.168 Subject Alternative Name
Because the subject alternative name is considered to be definitively bound to the public key, all parts of the subject alternative name MUST be verified by the CA.
Further, if the only subject identity included in the certificate is an alternative name form (e.g., an electronic mail address), then the subject distinguished name MUST be empty (an empty sequence), and the subjectAltName extension MUST be present. If the subject field contains an empty sequence, the subjectAltName extension MUST be marked critical.
Note: work is currently underway to specify domain names in international character sets. Such names will likely not be accommodated by IA5String. Once this work is complete, this profile will be revisited and the appropriate functionality will be added.
Finally, here are a few additional links which can be helpful in planning and understanding this issue.
How to troubleshoot LDAP over SSL connection problems
You may be unable to connect to a Windows Server 2003-based domain controller by using LDAP over an SSL connection
Until next time folks, take care out there!
- Michael Hunter
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.