[ActiveDir] One of our DCs is requesting a client cert on SSL/LDAP connections

[joseph.e.kaplan]

Hi All,   One of our DCs seems to be requesting a client certificate on SSL/LDAP binds.  The behavior manifests itself as weird delays and time outs when doing an SSL/LDAP bind on port 636 to it.  When I have a smart card inserted, I get a delay.  When I don’t have a smart card inserted, the calling process will hang and I get an Schannel error saying:   A fatal error occurred when attempting to access the SSL client credential private key. The error code returned from the cryptographic module is 0x80090304.   That HRESULT equates to “The Local Security Authority cannot be contacted”   With the rest of our DCs, SSL/LDAP connections are very fast regardless of our client certificates, so it appears that they aren’t even asking for a client cert (but I’m guessing here).   The interesting thing is that all of our DCs use the same security policy, so it is not clear to us why this one DC is behaving differently.  It might be that something is hacked in the registry on this one DC that is overriding policy.   Does anyone have any idea where to look?  Unfortunately, this DC is used very heavily in our staging environment and applications tend to use SSL/LDAP a lot since most of the developers don’t seem to understand secure binding on port 389.  Thus we are having some crappy performance problems.   All thoughts are greatly appreciated.   Joe K. This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, please notify the sender immediately and delete the original. Any other use of the email by you is prohibited.