A client computer cannot authenticate to a domain controller that is running Windows 2000 or Windows Server 2003 by using LDAP over SSL

A client computer may not be able to authenticate to a Microsoft Windows Server 2003 domain controller or to a Microsoft Windows 2000 domain controller by using Lightweight Directory Access Protocol (LDAP) over a Security Sockets Layer (SSL) connection. The following event ID error message is logged to the system event log on the client computer:

Source: Schannel
Category: None
Event ID: 36876
Date: Date
Time: Time
User: N/A
Computer: YourComputerName
Description:
The certificate received from the remote server has not validated correctly. The error code is 0x80090328. The SSL connection request has failed. The attached data contains the server certificate.

Error Code 0x80090328 = SEC_E_CERT_EXPIRED (Certificate is expired).

These symptoms occur even after the server receives a new certificate from the certification authority (CA) that replaces the expired certificate on the server.

Additionally, the System event log may also log the following event when the server side certificate fails:

Event ID: 36881
The certificate received from the remote server has expired. The SSL connection request has failed. The attached data contains the server certificate.

This issue occurs because LDAP caches the certificate on the server. Although the certificate has expired and the server receives a new certificate from a CA, the server uses the cached certificate. You must restart the server before the server uses the new certificate.

To work around this issue, restart the server after the server receives a new certificate from the CA.

For more information about how to troubleshoot similar event ID 37876 error messages, click the following article numbers to view the articles in the Microsoft Knowledge Base: