Notice: This website is an unofficial Microsoft Knowledge Base (hereinafter KB) archive and is intended to provide a reliable access to deleted content from Microsoft KB. All KB articles are owned by Microsoft Corporation. Read full disclaimer for more details.

A client computer cannot authenticate to a domain controller that is running Windows 2000 or Windows Server 2003 by using LDAP over SSL


View products that this article applies to.

Symptoms

A client computer may not be able to authenticate to a Microsoft Windows Server 2003 domain controller or to a Microsoft Windows 2000 domain controller by using Lightweight Directory Access Protocol (LDAP) over a Security Sockets Layer (SSL) connection. The following event ID error message is logged to the system event log on the client computer:

Source: Schannel
Category: None
Event ID: 36876
Date: Date
Time: Time
User: N/A
Computer: YourComputerName
Description:
The certificate received from the remote server has not validated correctly. The error code is 0x80090328. The SSL connection request has failed. The attached data contains the server certificate.

Error Code 0x80090328 = SEC_E_CERT_EXPIRED (Certificate is expired).

These symptoms occur even after the server receives a new certificate from the certification authority (CA) that replaces the expired certificate on the server.

Additionally, the System event log may also log the following event when the server side certificate fails:

Event ID: 36881
The certificate received from the remote server has expired. The SSL connection request has failed. The attached data contains the server certificate.

↑ Back to the top


Cause

This issue occurs because LDAP caches the certificate on the server. Although the certificate has expired and the server receives a new certificate from a CA, the server uses the cached certificate. You must restart the server before the server uses the new certificate.

↑ Back to the top


Workaround

To work around this issue, restart the server after the server receives a new certificate from the CA.

↑ Back to the top


More information

For more information about how to troubleshoot similar event ID 37876 error messages, click the following article numbers to view the articles in the Microsoft Knowledge Base:
254610 System Event ID 36876 when using LDAP SSL query of the Active Directory
822406 Clients cannot authenticate with a server after you obtain a new certificate to replace an expired certificate on the server

↑ Back to the top


Keywords: KB839514, kbbug, kbpending, kbtshoot

↑ Back to the top

Article Info
Article ID : 839514
Revision : 4
Created on : 10/30/2006
Published on : 10/30/2006
Exists online : False
Views : 509