Connection to AD fails when using SSL

A failing connection to the Active Directory service can have multiple reasons:

Firewalls blocking the request

Please check (for example using telnet) that a connection to Active Directory on port 636 succeeds.

Server is using a certificate with MD5 or SHA512

Microsoft disabled support for Server certificates using MD5 with KB2862973 (mandatory update in early 2014). Using any server certificate with an MD5 signature in its entire chain will result in a connection error and event 36888 being logged on the server.

There are two workarounds:

  • 1.
    Replace all certificates with an MD5 signature with something more secure (preferably SHA-384 - see below)
  • 2.
    Disable TLS 1.2 on the Active Directory server as a temporary measure (see KB245030)

Notice about SHA-512

Notice that certificates having a SHA-512 signature can only be used, if KB2973337 from late 2014 is installed on the server, otherwise the effect will be the same as with MD5.