06.7.2010

Windows Server 2003 Domain Controller LDAPS Certificate Expiration

Applications these days should be using secure LDAP (LDAPS) or Transport Layer Security (TLS) for authentication and authorization against a domain controller (DC). This provides an encrypted connection for data to traverse between a client, which could be a web server, and the DC. As with most encryption schemes that use digital certificates, the server certificate on the DC must be valid and not expired. An expired certificate on the DC will cause new connection attempts to the DC from clients to fail. In my experience, the clients will not try to connect to a secondary DC - so users begin seeing error messages. This all occurs even though the autoenrollment process provided the DC a replacement certificate some 42 days prior to expiration of the current certificate.

Follow up:

It turns out that if a domain controller is not rebooted between the autoenrollment process date and the time the current certificate expires, the new certificate is not read into memory. This causes secure connection attempts from client machines to fail. I encountered this problem last year but have since learned a little more about it.

So how does one determine what certificate is currently in use by a domain controller? The autoenrollment process replaces the current certificate with a new one but the old certificate is still in use. The best way I have found to test if the domain controller certificate has expired or to determine which certificate is in active use is to use Internet Explorer 6. Here are the steps:

1. Use IE 6 to open a connection with the target DC via URL https://somedomaincontroller:636
2. Click the OK button when the "Choose a Digital Certificate" dialog box appears.
3. Click the View Certificate button when the "Security Alert" dialog box appears.
4. The General tab will provide the effective dates of the certificate currently in use.
5. Click the Details tab for additional details about the certificate.

You can use the Certificates Microsoft Management Console (MMC) snap-in to view the certificate in the certificate store. Keep in mind that certificates replaced by the autoenrollment process will no longer be visible. Only the new certificate will be displayed. Here are the steps to view the DC certificate via the certificate store:

1. Click Start, then Run.
2. Open MMC.exe and execute.
3. Click File, then Add/Remove Snap-in...
4. Click the Add... button on the Add/Remove Snap-in dialog box.
5. Select the Certificates snap-in then click the Add button.
6. Select Computer Account on the Certificates Snap-in dialog box then click the Next button.
7. Make sure Local Computer is selected on the Select Computer dialog box then click the Finish button.
8. Click the Close button on the Add Standalone Snap-in dialog box.
9. Click OK on the Add/Remove Snap-in dialog box.
10. Expand the Certificates tree then expand the Personal tree.
11. Click on the Certificates folder.
12. Double-click the certificate displayed in the right pane to view certificate information.

Again, keep in mind that the certificate being viewed in the certificate store via the MMC snap-in may not be the one in actual use by the domain controller. Use IE 6 via the 5 steps described above to view the certificate currently in use.

If anyone has a better method than using IE 6 to check the certificate in use, please leave a comment.