Sep 09 2021 10:45 PM
I configure LDAP on windows 2016 DC and during setup I selected default port 50001 for SSL. After installing third party SSL I can only connect to LDAP over SSL on default prot 636 but not on port 50001. I had another test server where I configured MS CA when I do test on port 50001, I can see the name of LDAP service in details, but on the production server even when I connect on port 636 I can't see the LDAP service that I created during setup.
During the setup I selected Network Service and the event logs it also show following warning:
Log Name: ADAM (LDAPoverSSL)
Source: ADAM [LdapOverSSL] General
Date: 10/09/2021 6:10:15 AM
Event ID: 2537
Task Category: Internal Processing
Level: Warning
Keywords: Classic
User: ANONYMOUS LOGON
Computer: DC3.mydomain.com.au
Description:
The directory server has failed to create the AD LDS serviceConnectionPoint object in Active Directory Lightweight Directory Services. This operation will be retried.
Additional Data
SCP object DN:
CN={097b461d-5f8b-45b7-bc46-9fc7da18a2c0},CN=DC3,OU=Domain Controllers,DC=,DC=com,DC=au
Error value:
5 Access is denied.
Server error:
00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
Internal ID:
33903ab
AD LDS service account:
NT AUTHORITY\NETWORK SERVICE
User Action
If AD LDS is running under a local service account, it will be unable to update the data in Active Directory Lightweight Directory Services. Consider changing the AD LDS service account to either NetworkService or a domain account.
If AD LDS is running under a domain user account, make sure this account has sufficient rights to create the serviceConnectionPoint object.
ServiceConnectionPoint object publication can be disabled for this instance by setting msDS-DisableForInstances attribute on the SCP publication configuration object.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="ADAM [LdapOverSSL] General" />
<EventID Qualifiers="32768">2537</EventID>
<Level>3</Level>
<Task>9</Task>
<Keywords>0x80000000000000</Keywords>
<TimeCreated SystemTime="2021-09-09T20:10:15.755562400Z" />
<EventRecordID>1064</EventRecordID>
<Channel>ADAM (LDAPoverSSL)</Channel>
<Computer>DC3.mydomain.com.au</Computer>
<Security UserID="S-1-5-7" />
</System>
<EventData>
<Data>CN={097b461d-5f8b-45b7-bc46-9fc7da18a2c0},CN=DC3,OU=Domain Controllers,DC=mydomain,DC=com,DC=au</Data>
<Data>5</Data>
<Data>Access is denied.</Data>
<Data>00000005: SecErr: DSID-03152870, problem 4003 (INSUFF_ACCESS_RIGHTS), data 0
</Data>
<Data>33903ab</Data>
<Data>NT AUTHORITY\NETWORK SERVICE</Data>
</EventData>
</Event>
Error when connecting through LDP.exe using port 50001
0x0 = ldap_unbind(ld);
ld = ldap_sslinit("DC3.mydomain.com.au", 50001, 1);
Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
Error 81 = ldap_connect(hLdap, NULL);
Server error: <empty>
Error <0x51>: Fail to connect to DC3.mydomain.com.au.
Event Log when connecting through port 50001
Log Name: System
Source: Schannel
Date: 10/09/2021 3:42:22 PM
Event ID: 36870
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: DC3.mydomain.com.au
Description:
A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36870</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-09-10T05:42:22.597896600Z" />
<EventRecordID>22350</EventRecordID>
<Correlation ActivityID="{307C8C55-9B87-0002-638C-7C30879BD701}" />
<Execution ProcessID="812" ThreadID="2716" />
<Channel>System</Channel>
<Computer>DC3.mydomain.com.au</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">server</Data>
<Data Name="ErrorCode">0x8009030d</Data>
<Data Name="ErrorStatus">10001</Data>
</EventData>
</Event>
Sep 10 2021 01:26 AM
Sep 10 2021 01:35 AM
During setup it gives available ports and suggest not to use port 636 as it is used for AD DS.
Sep 10 2021 01:54 AM
Sep 10 2021 02:08 AM
Sep 10 2021 02:46 AM
Sep 16 2021 09:06 AM
Sep 21 2021 04:59 AM - edited Oct 31 2021 09:51 PM
I have already added rule to allow incoming traffic on port 50000-50001. I turned off the firewall completely and it still same error. It also register following error in event logs:
Log Name: System
Source: Schannel
Date: 21/09/2021 9:56:03 PM
Event ID: 36870
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: DC3.domain.com
Description:
A fatal error occurred when attempting to access the TLS server credential private key. The error code returned from the cryptographic module is 0x8009030D. The internal error state is 10001.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Schannel" Guid="{1F678132-5938-4686-9FDC-C8FF68F15C85}" />
<EventID>36870</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2021-09-21T11:56:03.877877700Z" />
<EventRecordID>24833</EventRecordID>
<Correlation ActivityID="{307C8C55-9B87-0002-638C-7C30879BD701}" />
<Execution ProcessID="812" ThreadID="1708" />
<Channel>System</Channel>
<Computer>DC3</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Type">server</Data>
<Data Name="ErrorCode">0x8009030d</Data>
<Data Name="ErrorStatus">10001</Data>
</EventData>
</Event>