Professional Documents
Culture Documents
Event Details
Product ID Source
Windows Operating System 1220 Windows Server 2003 and Windows Server 2003 R2: Active Directory Windows Server 2008 and Windows Server 2008 R2: Microsoft-WindowsActiveDirectory_DomainService 5.0 and 6.0 DIRLOG_LDAP_SSL_NO_CERT
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
1/5
technet.microsoft.com/en-us/library/ee411009(d=printer,v=ws.10).aspx
01-12-13
Resolve
Event ID 1220 is logged on a domain controller when client computers attempt to make an LDAP-over-SSL connection to the directory when SSL connections are not enabled on the directory. If you want to configure a domain controller or an AD LDS server to support SSL connections, you must provide a certificate for the AD DS or AD LDS directory to use. If you do not want to support LDAP over SSL connections on the directory, identify the client computers that are attempting to make such connections so that you can resolve this issue. Membership in Domain Admins, or equivalent, is the minimum required to complete this procedure. Perform the following procedure on a domain controller or a computer that has RSAT installed. See Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909). If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority (CA). Warning In most cases, you should not install a CA on a domain controller. For additional information, see PKI Design Brief Overview (http://social.technet.microsoft.com/wiki/contents/articles/pki-design-briefoverview.aspx). If you want to configure your domain controllers to support SSL connections, you can install and configure the Active Directory Certificate Services (AD CS) role on a domain controller or you can import a certificate from a trusted certification authority (CA). If you install the AD CS role and specify the Setup Type as Enterprise on a domain controller, all domain controllers in the forest will be configured automatically to accept LDAP over SSL. For instructions about installing and configuring a local certificate server using a Windows Server 2008 computer, see the Active Directory Certificate Services Step-by-Step Guide (http://go.microsoft.com/?linkid=9645085). In most cases you should use a certificate from a CA that is not installed on a domain controller. The certificate that you import into the LDAP server [e.g. domain controller or Active Directory Application Mode, or Active Directory Lightweight Directory Services (AD LDS)] must meet the following specifications: 1. Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1 2. The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate (http://support.microsoft.com/kb/931351). 3. The host machine account must have access to the private key. If you are preparing a Windows Server 2008 or Windows Server 2008 R2 domain controller to accept LDAP over SSL (LDAPS) connections you should import the certificate into the AD DS personal store (as shown in the following procedure). If you are working on a Windows Server 2003 or Windows Server 2003 R2 computer, you should import the certificate into as described in Configure Authentication and
technet.microsoft.com/en-us/library/ee411009(d=printer,v=ws.10).aspx
2/5
01-12-13
computer, you should import the certificate into as described in Configure Authentication and Encryption (http://technet.microsoft.com/en-us/library/cc757003.aspx). If you are working on an AD LDS server, then you should following the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS. ((http://go.microsoft.com/?linkid=9645086)
Note If you are working on a Windows Server 2003 or Windows Server 2003 R2 computer, you should import the certificate into as described in Configure Authentication and Encryption (http://technet.microsoft.com/en-us/library/cc757003.aspx). If you are working on an AD LDS server, then you should following the instructions in Appendix A: Configuring LDAP over SSL Requirements for AD LDS. (http://go.microsoft.com/?linkid=9645086)
Verify
Membership in Domain Users, or equivalent, is the minimum required to complete this procedure. Learn more about default group memberships online (http://go.microsoft.com/fwlink/?LinkID=150761). Perform the following procedure on a domain controller or a computer that has Remote Server Administration Tools (RSAT) installed. For more information about RSAT, see Installing Remote Server Administration Tools for AD DS (http://go.microsoft.com/fwlink/?LinkId=144909).
technet.microsoft.com/en-us/library/ee411009(d=printer,v=ws.10).aspx 3/5
01-12-13
Tip To install LDP on computers running Windows Server 2003 or Windows XP operating systems, install Windows Server 2003 Support Tools from the Windows Server 2003 product CD or from the Microsoft Download Center (http://go.microsoft.com/fwlink/?LinkId=100114). For more information about how to install Windows Support Tools from the product CD, see Install Windows Support Tools (http://go.microsoft.com/fwlink/?LinkId=62270).
See Also
Other Resources
Request a computer certificate for server authentication Article 321051 in the Microsoft Knowledge Base Certificates How To Certificate Services To post technical questions visit the Directory Services forum
Community Additions
http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx
technet.microsoft.com/en-us/library/ee411009(d=printer,v=ws.10).aspx 4/5
01-12-13
http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx
For more information on LDAP over SSL, see LDAPS over SSL
http://social.technet.microsoft.com/wiki/contents/articles/ldap-over-ssl-ldaps.aspx
Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html
technet.microsoft.com/en-us/library/ee411009(d=printer,v=ws.10).aspx
5/5