Secure LDAP for external access for a third party vendor

WE have a SBS 2011 server with a current SSL certificate. We have a third party vendor that needs to be able extract AD info via LDAP. We want to use LDAPS to help secure it. We have blocked port 636 except for the vendors IP range, and we know its talking as we can telnet to this port. When trying to connect via the FQDN of the current SSL certificate issued by a third party CA, it doesn't connect. I have tried adding a new FQDN ie pointing to the external IP address and created a SSL certificate from the local CA, and even a third party CA, but it still doesn't connect. Its like its not liking the certificate name it finds. When using LDP.exe as a test to connect to, the system event talks about schannel and mentions: "The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate" When i look at the friendly view, I can see mention of the internal name of the server.

Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Dan McFaddenSystems EngineerCommented:
You need to have the local CA's root certificate installed on the computer that will be connecting to your LDAP server.

Here are is a link (assuming you are using a MS cert server):

Check out the 3rd section on how to install a root certificate.

greentriangleAuthor Commented:
What if we cant install the CA root certificate on the 3rd party wanting to access AD?
Dan McFaddenSystems EngineerCommented:
I then suggest purchasing a 3rd party SSL certificate from a commercial CA...  Symantec, Thawte, Comodo, etc.

Here's a comparision site:
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

Dan McFaddenSystems EngineerCommented:
You could test this out using an SSL Cert from  Its free and a recognized CA.  I've used them once before and remembered after looking at the comparison chart above.

greentriangleAuthor Commented:
Again, in the original post, I mentioned that I had tried a 3rd party certificate.... Tried a Geotrust but to no avail...
Dan McFaddenSystems EngineerCommented:
Have you followed this process from MS?:

Here is another process for troubleshooting the issues:

Also, which device is reporting the SChannel error, your server or the remote device?

This issue is similar to configuring SSL for connecting to SQL Server, Lync Server or a web server.  The error you're receiving is similar to going to a web site using an SSL Cert issues by an entity that your browser is unaware of.  Your browser show an error message like:

There is a problem with this website’s security certificate.

The security certificate presented by this website was not issued by a trusted certificate authority.
The security certificate presented by this website was issued for a different website's address.

Security certificate problems may indicate an attempt to fool you or intercept any data you send to the server.  

I am also going to re-state that the CA Certificate Chain (Root CA Cert) has to be trusted by all parties in order to create a valid SSL connection.  If not, the connection cannot work correctly.


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Active Directory

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.