Event ID 1220 — LDAP over SSL (LDAPS)

  • Article

Applies to

Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012

 

Overview

 

The TechNet Library version of this article is published as LDAP over SSL (LDAPS)

Lightweight Directory Access Protocol (LDAP) communications between client computers and server computers can be encrypted with LDAP over Secure Sockets Layer (SSL) connections. You can configure Active Directory Domain Services (AD DS) and Active Directory Lightweight Directory Services (AD LDS) to support LDAP over SSL.

Event Details

   
Product: Windows Operating System
ID: 1220
Source: Microsoft-Windows-ActiveDirectory_DomainService
Version: 6.0
Symbolic Name: DIRLOG_LDAP_SSL_NO_CERT
Message: LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

Resolution

Configure LDAP over SSL

Event ID 1220 is logged on a domain controller when client computers attempt to make an LDAP-over-SSL connection to the directory when SSL connections are not enabled on the directory. If you want to configure a domain controller or an AD LDS server to support SSL connections, you must provide a certificate for the AD DS or AD LDS directory to use. If you do not want to support LDAP over SSL connections on the directory, identify the client computers that are attempting to make such connections so that you can resolve this issue.

Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following procedure on a domain controller or a computer that has RSAT installed. See Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).

If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority (CA).

If you install the AD CS role and specify the Setup Type as Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL.

Warning: In most cases, you should not install a CA on a domain controller! For more information, see PKI Design Brief Overview.

If you prefer to use a certificate from a CA that is not installed on a domain controller, you must import a certificate with an intended purpose of server authentication from a trusted CA into the AD DS personal store.

To import a certificate into the AD DS personal store:

  1. Open a command prompt as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Start menu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. To open Microsoft Management Console (MMC), type mmc, and then press ENTER.
  3. Click File, click Add/Remove Snap-in, select Certificates from the available snap-ins, and then click Add.
  4. In Add or Remove Snap-ins, click Service account to view the certificates that are stored in the service's personal store, and then click Next.
  5. In Add or Remove Snap-ins, click Local computer, and then click Next.
  6. In Add or Remove Snap-ins, click Active Directory Domain Services, click Finish, and then click OK.
  7. In the console tree, expand Certificates - Service (Active Directory Domain Services), expand Personal, and then expand Certificates.
  8. To import a certificate, right-click the NTDS\Personal folder, click All Tasks, and then click Import. When the certificate is imported, client computers should be able to make SSL connections to all domain controllers in the forest.

If you need to configure AD LDS to support LDAP over SSL connections, follow the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS (http://go.microsoft.com/?linkid=9645086).

Additional information

Verify

Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Review details about default group memberships at http://go.microsoft.com/fwlink/?LinkID=150761. Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).

To confirm that LDAP over SSL is configured successfully:

  1. Open the Ldp snap-in. To open Ldp, click Start. In Start Search, type ldp. Right-click the Ldp icon on the Start menu, and then click Run as administrator. If the User Account Control dialog box appears, confirm that the action it displays is what you want, and then click Continue.
  2. Click the Ldp Connection menu, and then click Connect. In Server, type the host name of the server to which you want to connect. Ensure that Port is set to 636, the Connectionless check box is cleared, and the SSL check box is selected, and then click OK. If you receive a message that says “Cannot open connection,” LDAP-over-SSL binding is not configured properly.
  3. Click the Connection menu, click Bind, and then click OK.
  4. The command output should display the user name and domain name that you used for binding, if LDAP over SSL is configured properly.