Problems with MS ADAM and LDAP (SSL) connectivity between 2 DMZ servers over

Posted on 2008-11-10
Last Modified: 2012-05-05
We have 2 Windows 2003 Enterprise servers running in our DMZ. One has MS ADAM installed for user management and the other is a Web server. The web server was able to iniate an LDAP connection over SSL (port 50636) to the ADAM server. However this has stopped working and we cannot resolve the problem (the server with ADAM can iniate an LDAP connection to itself on that port without problem).

You can telnet between the two servers on that port and the connection this appears to connect so we don't believe there is anything stopping the connection. Also you can initiate an LDAP connection on 50389.

Any help in troubleshooting this would be appreciated.


Question by:BritInsurance
    LVL 31

    Assisted Solution

    Check to make sure that the certificate is ok (not expired, etc.).  Also check the encryption strength to see if it is 1024 or 2048 - if it is 2048 or higher, check this out:

    You might try restarting the adam instance and see if that might help, although if you are able to connect to it locally I'm not sure if that will help.

    I'm assuming there are not any software firewalls that might have gotten messed up somehow.

    Here is another MS article that might be useful:

    Accepted Solution

    Microsoft have thankfully resolved the problem. It was certificate related - it seems that although the servers were in a workgroup only they're DNS servers were on our internal domain and they had manual entries in that domain. Therefore when a server resolved the other it resolved it fully qualified. The certificate was created against a non FQDN and it seems that odly enough when you first create it it will work, but once rebooted it trys to use the FQDN and therefore the cert fails. We recreated the certs against the FQDN and this resolved the problem.

    Featured Post

    Better Security Awareness With Threat Intelligence

    See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

    Join & Write a Comment

    As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
    Installing a printer using group policy preferences is not that hard let’s take a look at it. First lets open up your group policy console and edit the policy you want to add it to. I recommend creating a new policy for each printer makes it a l…
    This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
    This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

    746 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    15 Experts available now in Live!

    Get 1:1 Help Now