A client computer cannot authenticate to a domain controller that is running Windows 2000 or Windows Server 2003 by using LDAP over SSL

Symptoms

A client computer may not be able to authenticate to a Microsoft Windows Server 2003 domain controller or to a Microsoft Windows 2000 domain controller by using Lightweight Directory Access Protocol (LDAP) over a Security Sockets Layer (SSL) connection. The following event ID error message is logged to the system event log on the client computer:
These symptoms occur even after the server receives a new certificate from the certification authority (CA) that replaces the expired certificate on the server.

Additionally, the System event log may also log the following event when the server side certificate fails:

Cause

This issue occurs because LDAP caches the certificate on the server. Although the certificate has expired and the server receives a new certificate from a CA, the server uses the cached certificate. You must restart the server before the server uses the new certificate.

Workaround

To work around this issue, restart the server after the server receives a new certificate from the CA.

More Information

For more information about how to troubleshoot similar event ID 37876 error messages, click the following article numbers to view the articles in the Microsoft Knowledge Base:

254610 System Event ID 36876 when using LDAP SSL query of the Active Directory

822406 Clients cannot authenticate with a server after you obtain a new certificate to replace an expired certificate on the server

Properties

Article ID: 839514 - Last Review: Feb 15, 2017 - Revision: 3

Feedback