We have a public SSL certificate that allows for Active Directory sync with LDAPS on port 636 with our email smart host. This was working fine and suddenly stopped working and we are now getting SChannel errors Event ID 36869. There were no changes made
to the Exchange server, the firewall or the DC which holds the certificate. I have run a new certreq from the DC and then re-keyed the public SSL certificate and re-installed 3 times but the error does not go away and AD Sync with the vendor
fails. When I run LDP.exe the connection on port 636 fails with "cannot open connection" and the system event log throws the S Channel event 36869 "The SSL server credential's certificate does
not have a private key information property attached to it" There is no software firewall set on the DC. When I run Certutil -VerifyStore MY it shows the current certificates as well as the revoked and expired certificates
correctly. Certificate 0 is the public cert and is listed with Server and Client authentication, the FQDN of the server is correct and "Certificate is Valid" is listed. The private cert is Certificate 1 and has server and client authentication, the
FQDN is correct, Private key is not exportable and it ends with Certificate is Valid. I do not see a point in re-keying the cert again until I figure out what the root of the problem is. I have read in some forums that the private cert should not be set to
expire after the public cert but that does not make a lot of sense when in a situation like this the private cert is of course newer than the public. In fact it is too early to renew the public cert. I have been troubleshooting this for a few days and at this
point I would have to drop my AD sync with the vendor to LDAP in order to add new users. I do not want to do that for obvious reasons and I do not want to have our spam filtering and email archive service running without Directory sync. Any help would be greatly
appreciated.
↧