Unable to configure LDAP over SSL (LDAPS) for NPC or NetVoyant

Document ID : KB000030109
Last Modified Date : 14/02/2018
Show Technical Document Details

Summary:

Single Sign-On Configuration Tool > LDAP Authentication > Test LDAP Authentication, fails when using LDAP over SSL (LDAPS) and displays the following error:

An exception was thrown:
Source: System.DirectoryServices
Message: The server is not operational

The following Event ID and error is also seen in the Windows Event Viewer System log:

Event ID: 36882

The certificate received from the remote server was issued by an untrusted certificate authority. Because of this, none of the data contained in the certificate can be validated. The SSL connection request has failed. The attached data contains the server certificate.


Solution:

If the NPC or NetVoyant server is using an LDAP certificate signed by a Certificate Authority (CA) that is not included in the local computer's Trusted Root Certification Authorities by default, the following configuration is required for LDAP connections to work properly via SSL. The default local computer's Trusted Root Certification Authorities stores root certificates for the most common CAs, such as VeriSign, GoDaddy..etc

Note: If the LDAP certificate is using a CA that does not have its root certificate included in the local computer's Trusted Root Certification Authorities by default you need to import it.  Intermediate certificates will also need to be imported if it applies.

Follow the steps below to import the LDAP certificate(s) to the local computer's Trusted Root Certification Authorities.

1. Obtain and import the LDAP server certificate to local computer's Trusted Root Certification Authorities.

Steps to add certificates via MMC

2. Ensure the Single Sign-On Configuration Tool-> LDAP Authentication-> Search Domain field is defined with the name that the certificate was Issued To:

Single Sign-On Configuration Tool-> LDAP Authentication-> Search Domain field example:

SeachDomain1.png

IIS Server Certificate example:

IISCerts.png

 

3. Open a command prompt on the NPC or NetVoyant server and verify that NSLOOKUP command is able to resolve the name that the certificate was issued to.

Note: A HOSTS file can be used when the name cannot be resolved through DNS

4. Run the Single Sign-On Configuration Tool-> LDAP Authentication-> Test LDAP Authentication again and confirm that error is resolved

5. Confirm that login to NPC or NetVoyant web portal works using the LDAP user.