This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 91%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER2%3C/text%3E%3C/svg%3E)
Hello
We have a unique setup that has worked in the past but when trying to recreate it keeps failing
We have created an AD LDS/ADAM instance on a dedicated Win 2008 R2 server then created account using ADSI Edit in that instance that match the accounts in a web based application "maximo"
We can logon/bind with LDP with the account using port 636 with SSL and port 389
When we logon to maximo we get an error in the ADAM event log
Internal event: The LDAP server returned an error.
Additional Data
Error value:
00000003: LdapErr: DSID-0C060469, comment: Error decrypting ldap message, data 0, v1db1
I can't find a lot of info on what this error is.
Anybody else know what this error means?
Cheers
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(281.6, 80%, 37%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ETB%3C/text%3E%3C/svg%3E)
Hi,
It seems a certificate problem.
Check if root certificate is installed correctly on the server.
Please don't forget to mark helpful reply as answer
Hey Bourbita Thanks for replying
If it was a cert issue wouldn't I get errors when connecting and binding in ldp?
The error is not clear, you should launch network capture (you can use wireshark) to more understand the issue.
Why you still using windows 2008 R2 ?
OK bummer. Yes trying to find any information on this error has been challenging.
latest version of wireshark doesn't work on 2008 R2 so I used MS Network Monitor. I can see in the network capture that the TLS handshakes are occurring and that it appears to hit my AD LDS instance but it's difficult to tell where the failure is occurring
It's a long story but the reason why I'm working on this issue is to replace 2008 R2
You should migrate your server asap to supported OS. If you still using unsupported OS like Windows 2008 R2, you work without Microsoft support which can help you in this situation.
Please don't forget to mark helpful answer as accepted*
As I said I'm currently working on trying to upgrade the server as I'm fully aware of the issues. I appreciate the advice but it doesn't help me to solve my issue
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(236.8, 46%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ER4%3C/text%3E%3C/svg%3E)
Have you tried logging in with the non-secure LDAP port just for testing purposes?
Hey Compdigit44
yes I can connect and bind with the account I created in ADSI Edit with LDP on port 389 no SSL
In that case if does sound like a cert issue like R1prime 210 mentioned. What type of cert are you using? Local , 3rd party etc.... if local which CA template was used to create it?
Hey compdigit44 it was @Thameur-BOURBITA that suggested that it was a cert issue.
Certs are issued from a 3rd party "entrust" and use a private key
Sorry for giving the shout out to the wrong user..... my mistake
Hey compdigit44 it was @BOURBITA Thameur that suggested that it was a cert issue.
Certs are issued from a 3rd party "entrust" and use a private key
No worries. Certs are a little complicated for this setup. This might be too into the weeds but maybe this info would be helpful
We get 3rd party certs with a private key and import them into IIS and then import them into the AD LDS personal store.
I have confirmed that the cert is in trusted root cert auth and private key is present in both stores on our AD LDS server
These certs are also installed into IBM Websphere and a JAAS LDAP login module is created in Websphere that points to the server that has the AD LDS instance on
When a user logs onto the web application "maximo" it will pass through websphere and then hit the AD LDS instance to authenticate.
Websphere logs show that it is making it to the AD LDS instance and the server generates logs in ADAM logs when you attempt to login with maximo
This is where I'm getting the error for the original question of this post.
I don't have a way of testing this by bypassing websphere except for LDP
In my experience we would not be able to connect with LDP and bind if these certs were not installed correctly but I could be missing something.