Unable to configure the search appliance and Active Directory to use SSL

Summary: When configuring the search appliance to use Active Directory to authenticate users and/or resolve groups via LDAP, you should enable SSL to prevent credentials from being passed in plain text. 


Cause: There are two reasons why it may not be possible to configure SSL between the search appliance and Active Driectory:

  • There is no SSL certificate installed on the Active Directory domain controller .
  • The certificate is not trusted by the search appliance.

Troubleshooting Steps:  Check if the Domain Controller has certificate installed. To do this run the following openssl command:

$ openssl s_client -connect example.com:636

CONNECTED(00000003)

write:errno=104


If the connection is immediately closed as pictured above, it means Active Directory doesn't have a certificate installed. You can verify this on the domain controller - Event Viewer / Windows Logs / System / Event 36886 will be present.

No suitable default server credential exists on this system. This will prevent server applications that expect to make use of the system default credentials from accepting SSL connections. An example of such an application is the directory server. Applications that manage their own credentials, such as the internet information server, are not affected by this.
 


Fix: Complete the following steps to configure SSL between Active Directory and the search appliance:  

  1. If no SSL certificate is installed, engage your AD administrator to install SSL certificate

  2. Import certification authority certificate on the search appliance. To establish trust between the search appliance and the certification authority which issued your certificate you need to install the certificate of your certification authority on the search appliance - you can do this in Administration > Certificate Authorities > Add more Certificate Authorities in the Admin Console.

Once both steps are completed you will be able to configure LDAP communication for either "Start TLS" when using port 389 or SSL when using port 636 in LDAP configuration.

Was this helpful?
How can we improve it?