Issue/Problem/Symptom:

Policy Server was connecting to Active Directory via secure channel as a Policy Store or a User Store.

It had been working fine but suddenly it has permanently lost connection to AD.

Connecting via LDAP(without SSL) works but that blocks users from changing their password.

Environment:

Policy Server: R12.52SP1 (Not limited to specific version or OS)

Active Directory: Windows Server 2008 (R2) or Windows Server 2012 (R2)

Cause:

Active Directory Certificate was silently updated with wrong certificate template(Domain Controller Authentication Template) resulting in a Certificate that lacks CN value.

Netscape LDAP SDK used in Policy Server for "LDAP" namespace requires CN(Subject Name) field of certificate and this fails.

* Certificate AutoRenew kicks in 6 weeks before expiry

Resolution:

Issue a new certificate using "Domain Controller" template.

* This issue does not occur when using AD namespace.

Additional Information:

[Domain Controller Template]

You can see here that the SUBJECT NAME will be sourced from the information available in the Active Directory.

<Please see attached file for image>

[Domain Controller Authentication Template]

You can see here that the SUBJECT NAME is "None" by default.

And it is adding "ALTERNATE SUBJECT NAME" using DNS name.

<Please see attached file for image>

Following screenshot will explain the template used for the initial Active Directory was from "Domain Controller" template.

And it also shows that the SUBJECT has a value of TESTMC1.ssl.lab.

<Please see attached file for image>