Reviewing SSL/TLS Certificate Chain for Active Directory Server

Sometimes when I am setting up, or helping someone setup, identity synchronisation between the SAS® platform and Microsoft Active Directory (AD), I run into SSL/TLS certificate validation issues. I am usually using Metacoda Identity Sync, but it can also happen when doing a sync with custom Base SAS code. Often the underlying cause is that the AD server’s CA certificate is not in the SAS Private JRE Trusted CA Bundle (see Did I add that CA Certificate to the SAS Trusted CA Bundle?). When troubleshooting this, one of the first things I will do is look at the certificate that the AD server is providing, and I mostly use an OpenSSL s_client command for this. There are 4 command variations I use depending on whether I am trying to use the main directory or the global catalog, and with LDAP plus STARTTLS, or just LDAPS.

For connecting to the main directory on the unencrypted LDAP port 389 with an upgrade to encrypted using STARTTLS:

echo "Q" | openssl s_client -connect dc.example.com:389 -starttls ldap -showcerts

For connecting to the main directory on the encrypted LDAPS port 636:

echo "Q" | openssl s_client -connect dc.example.com:636 -showcerts

For connecting to the global catalog on the unencrypted port 3268 with an upgrade to encrypted using STARTTLS:

echo "Q" | openssl s_client -connect gc.example.com:3268 -starttls ldap -showcerts

For connecting to the global catalog on the encrypted port 3269:

echo "Q" | openssl s_client -connect gc.example.com:3269 -showcerts

If you want to examine the returned certificate in more detail then you can also pipe it to an OpenSSL x509 command e.g.

echo "Q" | openssl s_client -connect dc.example.com:389 -starttls ldap -showcerts | openssl x509 -noout -text

If you have questions, or any other tips for troubleshooting SSL/TLS certificates with AD, then please leave a comment below.