Unable to use SSL in LDAP authentication with Active Directory.

  • 7023508
  • 08-Nov-2018
  • 08-Nov-2018

Environment

GroupWise 18

Situation

You have defined Active Directory entry in gwadmin console -> LDAP Servers. All works fine when using insecure 389 port but fails when wanting to use SSL and trusted root certificate of AD domain.

Resolution

First you shall make sure that you have exported properly the trusted root certificate from CA of the AD domain.
Here is a short summary no how to do it:
In the AD server, launch the Certificate Authority application by Start -> Run -> certsrv.msc
Right-click on the CA object listed and select Properties.
On the General tab, click on the View Certificate button.
Go into Details tab, highlight the certificate and then select Copy to File.
Follow all steps of the wizard and select the DER Encoded binary X.509 (.cer) file format.

Once you saved the certificate file on your local workstation, start from it gwadmin console and go into System -> LDAP Servers -> click on your AD definition item you created before.
In the Address field, use FQDN of the server name which you used when generating the CA, example win2012r2.mydomain.com, where win2012r2 is the server host name and mydomain.com is AD domain name.
Click next on the Use SSL check-box to enable SSL Certificate field entry.
Click on a pencil icon -> then on Access Certificate from server directory option, use a browse icon.
After that click on Upload Local File To Server -> Browse and navigate to the certificate file on your workstation.
Then click on Upload so the certificate appears in a lower part of this dialog window.
Select the file and then click on OK.
Click now on the Test Connection button.
If it can connect successfully, you are done.

If it fails, make sure that the GW server can resolve FQDN name of the LDAP server you used in this definition. Note, since you were using FQDN during creation of the CA and certificate objects, you must use it also in this definition and not the IP address.
Furthermore, make sure that the GW server can access the LDAP server on the port 636, i.e. there is no firewall in between that would block the communication.
You can also test directly from the Windows server which you used to export trusted root certificate whether you can connect to via secured LDAP.
Simply click on Start -> Run and type ldp.exe. You will see a new LDAP window.
Click on Connection -> Connect. Here in the Server field type FQDN of the AD server, i.e. like example win2012r2.mydomain.com, select SSL and type 636 as a port value and then OK. You shall be able to get connected.