Unable to Connect to a Domain Controller by Using LDAP Connection over SSL


When you try to establish a Lightweight Directory Access Protocol (LDAP) connection to a domain controller over Secure Socket Layer (SSL), the connection may be unsuccessful. This happens when the CRL Distribution Point (CDP) path for the domain controller certificate is an LDAP URL rather than an HTTP URL.


This behavior can occur because in order to set up the SSL connection, the client must validate the domain controller's SSL certificate. Part of this process is checking the Certificate Revocation List (CRL) to see whether the certificate has been revoked. If the CRL is not already cached on the client, then the client must query Active Directory to get the list.

In this instance, SChannel.dll does not receive the default credentials of the client and therefore cannot make an authenticated connection to Active Directory to check the CRL. This results in the certificate's being invalidated, and the SSL connection is not established.


To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
260910 How to Obtain the Latest Windows 2000 Service Pack


Microsoft has confirmed that this is a problem in Microsoft Windows 2000. This problem was first corrected in Windows 2000 Service Pack 2.

Article ID: 296975 - Last Review: Mar 1, 2007 - Revision: 1