Your Citrix NetScaler (Or perhaps other devices testing LDAP or trying to communicate via TLS\SSL) can complete a TLS connection test to Domain Controllers or other LDAP servers just fine, but there is a server that is failing the test and throwing the error below:
Here are some knowns:
- The test is right: port 389 is open, is responding, and other tests to that server are just fine.
- The server itself is reachable.
- You know that LDAP is responding and there truly doesn’t seem to be a problem with LDAP at all.
- You’ve tested LDAP using another app like ldap.exe, LDAP Browser, or another program that can prove your connection is fine.
- Your username and password is correct (This would instead throw an invalid username\password error)
So here’s a screenshot of WireShark watching a failed attempt from the NetScaler to the Domain Controller. See the failures at the bottom?
The error it throws is Error initializing SSL/TLS which is fairly generic. But here are some more knowns now that we see this.
- The NetScaler is communicating with the Domain Controller just fine.
- The same request, same TLS version and cipher etc, is being used each time the NetScaler reaches out to the Domain Controller.
We discovered that there was an issue with the certificate of the Domain Controller that controller Client and Server Authentication that was the problem.
Issue a new personal certificate to the Domain Controller, using the Domain Controller Template that include both Client and Serve Authenticate and you’ll be all set.
How did it get this way?
Welp, there are a number of different factors, but the main thing was that this Domain Controller was once a Certificate Authority (CA) server and during it’s time as a CA server it lost its Personal Certificate that gave it the ability to communicate using TLS securely. While you can bind any username and password during a connection to port 389 and do AD queries all day long, you cannot necessarily complete more select connections such as the Citrix Netscaler Reachability Test.
Maybe you’re having trouble because your Domain Controller certificate is simply expired, or maybe you have the same CA problem that we have, either way you’re going to have to refresh that CA cert, so here’s how to do that:
Creating a CA on your Domain:
If you already have a CA, you can skip to the “Creating a Certificate” portion of this document.
CA simply means that you have a server on your network that will create certificates for you. These are not awesome third party SSL certificates. Instead, these can be used internally for applications and other tools that need to more effectively communicate with each other. Here’s how to do that in Server 2012:Open Roles and Features on a server that is added to your domain.
Open Roles and Features on a PC that’s part of your domain and choose to add the four checked Server Roles listed below:
It might be scary but you can “Next” your way through most everything here until setup is complete.
Once you are done, you need to select finalize this installation. Click on the flag at the top and then choose only the top two options to finalize. Again, you can next through them. Afterward, select the bottom two and finalize those.
Once complete, you can test to make sure things are good by hitting your windows key or clicking the windows butting and typing “Certificate Authority” which will bring up the CA GUI. If you can see it, you’re good.
When done, hit your windows key and type “Manager Computer Certificates” and you’ll bring up your certs. You should already be familiar with this area. A screenshot is below.
Right Click Personal folder and choose All Tasks > Request New Certificate. Click Next until you can choose “Domain Controller” from a list of Certificates. When done, click Enroll. Once complete you should see a new Certificate.
This should take care of the issue.
Apologies for the lack of screenshots in a tutorial that needs way more screenshots. Hopefully this will help you out though.