Tech Tip: Unable to configure LDAP over SSL (LDAPS) for NPC or NetVoyant

Document created by Rito_Garcia Employee on Sep 3, 2015Last modified by SamCreek on Dec 17, 2016
Version 2Show Document
  • View in full screen mode

Summary:


Single Sign-On Configuration Tool > LDAP Authentication > Test LDAP Authentication, fails when using LDAP over SSL (LDAPS) and displays the following error:

 

An exception was thrown:
Source: System.DirectoryServices
Message: The server is not operational


The following Event ID and error is also seen in the Windows Event Viewer System log:

 

Event ID: 36882

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.


Solution:

 

If the NPC or NetVoyant server is using an LDAP certificate signed by a Certificate Authority (CA) that is not included in the local computer's Trusted Root Certification Authorities by default, the following configuration is required for LDAP connections to work properly via SSL. The default local computer's Trusted Root Certification Authorities stores root certificates for the most common CAs, such as VeriSign, GoDaddy..etc

Note: If the LDAP certificate is using a CA that does not have its root certificate included in the local computer's Trusted Root Certification Authorities by default you need to import it.  Intermediate certificates will also need to be imported if it applies.

Follow the steps below to import the LDAP certificate(s) to the local computer's Trusted Root Certification Authorities.

 

1. Obtain and import the LDAP server certificate to local computer's Trusted Root Certification Authorities.

    Steps to add certificates via MMC

 

2. Ensure the Single Sign-On Configuration Tool-> LDAP Authentication-> Search Domain field is defined with the name that the certificate was Issued To:

 

     Single Sign-On Configuration Tool-> LDAP Authentication-> Search Domain field example:

 

     IIS Server Certificate example:

 

3. Open a command prompt on the NPC or NetVoyant server and verify that NSLOOKUP command is able to resolve the name that the certificate was issued to.

Note: A HOSTS file can be used when the name cannot be resolved through DNS

 

4. Run the Single Sign-On Configuration Tool-> LDAP Authentication-> Test LDAP Authentication again and confirm that error is resolved

 

5. Confirm that login to NPC or NetVoyant web portal works using the LDAP user.

 

This has also been posted in the Knowledge Base on Support.ca.com TEC1289515

Attachments

    Outcomes