search cancel

Why suddenly Policy Server permanently fails to connect to AD user/policy store via LDAPS connection?


Article ID: 36202


Updated On:


CA Single Sign On Secure Proxy Server (SiteMinder) CA Single Sign On SOA Security Manager (SiteMinder) CA Single Sign-On



Policy Server was connecting to Active Directory via secure channel as a Policy Store or a User Store.

It had been working fine but suddenly it has permanently lost connection to AD.

Connecting via LDAP(without SSL) works but that blocks users from changing their password.



Policy Server: R12.52SP1 (Not limited to specific version or OS)

Active Directory: Windows Server 2008 (R2) or Windows Server 2012 (R2)



Active Directory Certificate was silently updated with wrong certificate template(Domain Controller Authentication Template) resulting in a Certificate that lacks CN value.

Netscape LDAP SDK used in Policy Server for "LDAP" namespace requires CN(Subject Name) field of certificate and this fails.

* Certificate AutoRenew kicks in 6 weeks before expiry



Issue a new certificate using "Domain Controller" template.

* This issue does not occur when using AD namespace.


Additional Information:

[Domain Controller Template]

You can see here that the SUBJECT NAME will be sourced from the information available in the Active Directory.

<Please see attached file for image>


[Domain Controller Authentication Template]

You can see here that the SUBJECT NAME is "None" by default.

And it is adding "ALTERNATE SUBJECT NAME" using DNS name.

<Please see attached file for image>

Following screenshot will explain the template used for the initial Active Directory was from "Domain Controller" template.

And it also shows that the SUBJECT has a value of TESTMC1.ssl.lab.

<Please see attached file for image>



Release: ESPSTM99000-12.51-Single Sign On-Extended Support Plus


1558722270412000036202_sktwi1f5rjvs16we8.jpeg get_app
1558722268504000036202_sktwi1f5rjvs16we7.jpeg get_app
1558722266489000036202_sktwi1f5rjvs16we6.jpeg get_app