HowTo Troubleshoot AD LDAPS Connection Issues

In this article we cover how to troubleshoot bind issues when connecting to Active Directory using LDAPS.  Typically when a LDAPS connection fails, very little information is provided on the reason for the failure. We will look at using NetTools to help troubleshoot the bind process and identify the reason for the LDAPS bind failure.

There are a few troubleshooting options available, including bypassing the standard certificate revocation process, display the certificate chain with the details of the revocation process and finally displaying the certificate that is installed on the servers used for the connection.

We will use the LDAP Search option in NetTools to test the LDAPS connection. For details on the SSL option see here.  

Check a Certificate is Installed

First, we want to confirm that there is a certificate installed on the domain controller and its being used for the LDAPS.  These tests can be performed remotely or on the domain controller being tested.

In the server field enter the FQDN of the domain controller, and then select the SSL Bind option, port 636 will be appended to the end of the server name, you will then need to uncheck the Verify Certs and click Go.

If the connection works and there are no bind errors are returned, then a certificate is installed on the domain controller and Active Directory is using it for LDAPS.

If you do receive a connection failure error:

Here are a few checks to determine why the certificate is not being used. 

      • Check name resolution and the FQDN can be resolved, see DsGetDCName
      • Use the DC Resolution feature to confirm the port is not blocked
      • On the domain controller check the Directory Services eventlog for event id 1220, Source: ActiveDirectory_DomainService, which means that AD was unable to find a suitable certificate to use.
      • To confirm that a certificate is available, open MMC on the domain controller and add the Certificates snap-in, select Service Account and select Active Directory Domain Services. Check under the NTDS\Personal, Certificates and confirm that a certificate is listed. 
      • If the certificate exists:
            • Check the certificate has the private key
            • Confirm that the Enhanced Key Usage includes Server Authentication (1.3.6.1.5.5.7.3.1)
            • Open the certificate and confirm on the Certification Path tab that the certificate is trusted
      • If no certificate is listed, check your certificate delivery mechanism, or manually install a suitable certificate.

Verify the Certificate

If the first test worked, then we now repeat the test but with the Verify Certs option selected, this time the standard Windows certificate revocation process will check the certificate, if this fails, then the connection will also fail. Select Verify Certs and click Go.

2020-08-30 21_56_43-192.168.1.245 - Remote Desktop Connection

If you receive the following error, Error: ldap_sslinit failed with error: Error: (0x51) Cannot contact the LDAP server, then the Windows revocation process has identified an issue with the certificate and this has caused the connection to fail.

Troubleshoot Certificate Issues

To help identify what has caused the issue with the certificate, if we select the select the Display Results option, which will display the results of certificate revocation process.

2020-09-01 12_52_48-192.168.1.245 - Remote Desktop Connection

Here are a couple of common examples of the errors that can occur.  In these examples the test domain controller has a self-signed certificate and means only one certificate is shown in the certificate chain in the examples.  If your domain controller has a certificate that has been issued by a root CA or an intermediate CA, your certificate chain will have multiple certificates, in this case each of these would be display and tested.  At the end of the certificate chain output if an issue has been found, an ERR: message will be displayed.

FQDN of the server doesn’t match the certificate

In this example the server name that has been entered does not match the subject or SAN, in the output the subject and SAN are displayed and an ERR message is returned stating that Certificate name does not match the host name

Multiple Certificate Errors

In this example the certificate chain has three errors: 1- the certificate has expired, 2 – the certificate is not trusted, 3 – the entered server name does not match the subject or SAN in the certificate

This is output for a certificate that has passed the certificate revocation process

Display the Certificate

We also have the option to display the certificate in the normal Certificate dialog, by selecting the Display Cert option, the certificate will be displayed, and we can look at the additional properties of the certificate. NetTools will pause until the certificate dialog is closed.

In the dialog you can also confirm that the certificate is trusted by the local machine by viewing the Certification Path tab.

LDAP Search Options

This post contains the details of options that are available in the LDAP Search option.

Input Fields

Server - the name of the server that the query will be directed
BasedDN - specifies the base distinguished names, in RFC1779 format
Filter - the LDAP filter that will be passed to the server. The background of the field will turn red if the filter is invalid.
Attributes - the attributes to be returned by the query
Favorites - used to select and save favorites. See Favorites
Display Filter - define a display filter which will be applied the results returned by the server. See Display Filters
Sort - specify the sort order the server should return the results
Filename - specifies the name of the output file

Display Options

Display Results – With this option deselected the results of the query are not displayed
Display DN – A DN field is added to the output.  If this option is deselected, The Show Attributes, AD Properties, and Meta Data options will not be available on the context menu
Display on completion – With this option deselected the entries are displayed as they are decoded, with this option selected, the screen updates are suppressed and only displayed once the queries has finished
Attribute count only -  when selected the number of entries per attribute is displayed.
Hex Dump -  this option is display an hex dump of the data in the displayed attributes, with the table view enabled on the hex values are displayed.  With the table view disabled both the hex and text are included in the dump.
Raw Format – With this option selected the attribute decodes are disabled and the outputs are displayed based on the default format returned by the LDAP server
Single Line – When selected the entries of an attributes are displayed on a separate line and a count is displayed after the attribute tag
Output to file – with this option select the output of the queries is saved to the file specified in the filename field
No Attribute tags – by default the name of the attribute is displayed in the text output pane, however if this option is selected the attribute name\tag is not displayed

Server Side Controls

This section will append one of the predefined server controls in the query sent to the server
Paged Searches – enables the paged search control details here https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/1b4a637c-c682-4b5e-9397-fe9142a38887
Extended DN – control will cause the server to return the extended dn as described here https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/57056773-932c-4e55-9491-e13f49ba580c
Attribute Scope Query – this is used to the search the object specified in an Object(DS-DN) syntax attribute, the attribute is associated to the object specified in the BaseDN field.  The attribute to be used is specified as the first attribute listed in the attributes field, the subsequent attributes are the attributes to be returned. See ASQ  Details of the control can be found here https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-adts/77d880bf-aadd-4f6f-bb78-076af8e22cd8
Delete Objects – when this control is enabled the Deleted objects container and its contents are returned.
Recycle Object – when this control is enabled the Recycled objects container and its contents are returned.
NTSecurityDescriptors – with this control enabled the server will also return the security descriptior for the object contained in the NTSecurityDescriptor attribute
Include SACL – this option will also include the Security Access Control List in the NTSecurityDescriptor details, this required the SESecurityLog right
Search Stats – When enabled the server will return the  server statistics on the query.

Table View Options

Table View – when this option is enabled the table view is enabled and the results are presented in a tabular view
Clear Table – when enabled the table view is clear of contents before the query is run
Table Input – This options enable input mode which allows inputs to be pasted into the table and then used as the basis of queries, see LDAP Search Input Mode 
Record Count – (available in input mode) when this option is enabled, the number of entries per attribute is returned
Create Multiple – (available in input mode) when enabled if multiple entries are returned, the subsequent entries are displayed on a new line
CSV file format, allow you to control the format of the data written to the file, CSV is only available with table view enabled.

Misc Options

CLDAP – when enabled the ldap query is sent using the UDP protocol rather than TCP
Dynamic and Sort option – see Dynamic and Sort Attributes Options
Auto Complete – when this option is enabled NetTools will download the complete list of attributes defined in the schema when the populate button is pressed, this is then used to provide a auto complete as you enter the attribute names in the attributes field
Chase Referrals – With this LDAP option enabled, the server will try to retrieve the requested object if the object is in a different context or directory.  This can also be set in the LDAP Session option dialog
Ext Error – this is return the extended LDAP error information in the event of an error occurring
Page Size – this define the number of entries that will be returned by the server per page

Updates

These options are covered in the LDAP Search Update Queries 

Credentials -  this will display a dialog box to specify the credentials that will be used to run query under
Reset - reset the form to the default options
Run Batch - Used to execute the select batch list, as defined and specified by the batch list option
Batch List - allows the creation of batch lists of queries 

Use GC - Changes the default port to 3268 or 3269 based on SSL Bind option. If a Connection Profile is selected, the GC details defined in the Connection Profile will be used.
SSL Bind - Changes the default port to 636 and enable SSL encrpytion
Verify Certs - when selected the server certificate is validated by the default Windows mechanism, if not selected the certificate verification is bypassed and the certificates are just accepted
Display Results - with this option NetTools will verify each of the certificate in the chain, completing a revocation check against each certificate and display the results
Display Cert - Once the verification of the certificate is complete, the certificate used by the server will be display in a standard certificate dialog box
Machine Store - defines which certificate store will be used by the Windows certificate verification mechanism 

Buttons

LDAP Session - this button will display the LDAP Session dialog to define the session variables that will be used when the query is executed. See LDAP Session Options.
Populate - this button will populate and enable a number of features in LDAP Search.  See LDAP Search Populate
Up one level - The left most entry of the DN is removed, to move up one level
DN Selector - this will display a dialog box to select the required BaseDN from a browser
LDAP Browser - See LDAP Browser
Attributes dialog - this will display the attribute dialog for the current BaseDN object
LDAP Query Wizard - a wizard to display and create a LDAP filter in a hierarchical view.  See LDAP Filter Wizard
Zoom - This button will display the filter or the Attributes field in a separate window with the option to increase the font size for easier reading and updating.
Enums - This display a dialog that shows the values associated to the predefined Enums in NetTools
Help - Displays the help for the filter, attributes and Display filter fields
Attribute List - this will display the list of attributes which can be used to select the attributes to be returned
Define Decode - this dialog lets you display and define the DecodeType that will be used for each attribute.
Favorites Save, Export, Import see Favorites

The text view context menu supports a number of predefined shortcuts to display information based on the selected text in the text view. The details in brackets is the what the selected text should contain for each item.

For details on the Custom items see Context Favorites in LDAP Search Favorites