How can I check if my Microsoft Active Directory Domain controller / LDAP Server has SSL ?

How can I check if my Microsoft Active Directory Domain controller / LDAP Server has SSL ?

The following URL has a nice write up about the Microsoft Tool called LDP.exe
http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm

You can download ldp.zip directly from here : http://www.computerperformance.co.uk/ScriptsGuy/ldp.zip

or copy from your Windows 2000 / 2003 Support Tools CD.

Microsoft says :
Verifying an LDAPS connection
After a certificate is installed, follow these steps to verify that LDAPS is enabled:

1. Start the Active Directory Administration Tool (Ldp.exe).
2. On the Connection menu, click Connect.
3. Type the name of the domain controller to which you want to connect.
a. You must use a proper DNS name for the SSL test to work.
4. Type 636 as the port number and check the SSL box
5. Click OK.

RootDSE information should print in the right pane, indicating a successful connection.


If you get an error saying, "Cannot open connection," LDP cannot establish a secure connection to the directory server. In this case, it's very likely that the server is not configured properly for LDAP over SSL. Verify the server name/IP address and port number. You can also use the Portqry tool to verify that the directory server is listening on the correct port.

The following LDP output (for server name dc01) indicates that the connection failed because the certificate used in the SSL connection cannot be trusted:
ld = ldap_sslinit("dc01", 636, 1);
Error <0x0> = ldap_set_option(hLdap,LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3);
Error <0x51> = ldap_connect(hLdap, NULL);
Server error: {empty}
Error <0x51>: Fail to connect to dc01.

You can test connecting non ssl communication by unchecking the SSL box and changing the port to 389

The same ldp.exe program can also be used to test the connection to the Global Catalog.
Follow the same steps as before, but change the ports.
The Non SSL port for the global catalog is 3268
The SSL port for the global catalog is 3269

Another tool that is good for checking the SSL cert can be downloaded from here

    • Related Articles

    • Verify Active Directory SSL

      How can I check if my Microsoft Active Directory Domain controller / LDAP Server has SSL ?   The following URL has a nice write up about the Microsoft Tool called LDP.exe http://www.computerperformance.co.uk/w2k3/utilities/ldp.htm You can download ...
    • How to enable SSL for LDAP on Active Directory?

      Problem:  webNetwork requires SSL over LDAP connection. Cause:  To ensure best security possible, you will want "end-to-end" encryption.  This is only possible with encrypting the LDAP connection.  Without SSL over LDAP some features, such as ...
    • Microsoft command line tools for Active Directory

      How to Manage Users Creating a New User Account 1. Click Start, and then click Run. 2. In the Open box, type cmd. 3. At the command prompt, type the following command: dsadd user userdn -samid sam_name The following values are used in this command: • ...
    • How to troubleshoot high cpu on domain controller

      webNetwork uses LDAP to communicate with Microsoft Active Directory.  If your AD servers are underpowered you may see high cpu with the LSASS.exe process. The following information comes from Microsoft ( https://support.microsoft.com/en-us/kb/2550044 ...
    • Our SSL cert is expiring on our UW servers, can Lenovo Software help us renew that certificate?

      Issue SSL Certificate is expiring/expired on customer's Unified Workspace (formerly webNetwork) server(s). Solution Lenovo Software Support can assist you with renewing the SSL Certificate on your UW servers.  The only downtime required will be a ...
    • Popular Articles

    • Old Browser Versions

      Question: I am using an older browser version and am having problems. What can be done ? We are not able to upgrade the browser at this time.   This is a challenge for any company that makes software that utilizes a browser. Since Stoneware does not ...
    • LCS Redirection

      Problem: How to redirect the LCS in an environment with multiple LCSs and students connecting to them. Solution(s): Create an allow.cfg on all LCS(s) (including the Master) in the network, however, even if no allow.cfg is present on an LCS, machines ...
    • Time windows allows for Service Shutdown

      Issue: Can the time windows gives a service to shut down before it kills the service be increased? Solution: Yes, the following information comes from the Microsoft URL : http://support.microsoft.com/kb/146092 To specify the wait time, do the ...
    • How to disable password saving - Internet Explorer

      Having multiple methods for saving a password in the browser can cause confusion for the user.   To disable password saving in Internet Explorer, launch Internet Explorer and perform the following steps. Click the blue Settings menu icon in the upper ...
    • How to disable password saving - Chrome

      Having multiple methods for saving a password in the browser can cause confusion for the user.  To disable password saving in Chrome, launch Chrome and perform the following steps. Click the Chrome menu button in the upper right corner of the Chrome ...
    • Recent Articles

    • Lenovo Unified Workspace 7.0.0.63 Released

      Highlights of Unified Workspace 7.0.0.63 Before you install: Please view the installation notes here. 7.0.0.63 Requires new 7.0 license file. Below is a list of enhancements and fixes for Unified Workspace 7.0.0.63 New Profile Style New Login ...
    • How to fix customized login and profile after upgrading to v7.0

      With the release of 7.0 the default login page has been modified to simplify the customization process.  If you are having an issue with the login page not displaying, after upgrading to v7.0, you will need to delete the custom CSS code and start ...
    • SAML SP - Sync Directory Password

      Login script to prompt for directory password Since the user does not login into Unified Workspace with a password, we cannot capture the password to use in the @@password@@ variable.  If you would like to use the Active Directory password for other ...
    • MySQL 8 SSL

      Issue Admin is making a database connection to a MySQL 8 database.  When clicking the Ping button on the DB Connection object, the following error is presented: WARN: Establishing SSL connection without server's identity verification is not ...
    • 7.0 excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file

      excludeProtocols - includeProtocols - allowCiphers - denyCiphers config file The following configuration is recommended for systems running 7.0.0.63, and higher. (For older 6.5 releases of UW, please see this article.) ...