Where he details:
DC supports LDAP over SSL/TLS
A user sends a certificate on a session. The server need to check for certificate revocation which may take some time.*
This becomes problematic if network communication is restricted and the DC cannot reach the Certificate Distribution Point (CDP) for a certificate.
To determine if your clients are using secure LDAP (LDAPs), check the counter “LDAP New SSL Connections/sec”.
If there are a significant number of sessions, you might want to look at CAPI-Logging.
(particularly to avoid hitting the TLS protocol limitation described here:
Allowing access to the public allowed Microsoft CTL URL http://ctldl.windowsupdate.com/msdownload/update/v3/static/trustedr/en/authrootstl.cab
Defining and maintaining an internal trusted CTL distribution point as outlined in Configure Trusted Roots and Disallowed Certificates
If you require a more granular control of which CAs are trusted by client machines, you can deploy the 3 rd Party CA certificates as needed via GPO
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.