JSI Tip 8184. A client computer cannot authenticate to a Windows 2000, or Windows Server 2003, domain controller by using LDAP over SSL?

When a client computer attempts to authenticate to a Windows 2000, or Windows Server 2003, domain controller by using LDAP (Lightweight Directory Access Protocol) over a SSL (Security Sockets Layer) connection, the System event log on the client computer records:

Source: Schannel
Category: None
Event ID: 36876
Date: MM/DD/YYYY
Time: HH:MM:SS
User: N/A
Computer:
Description: The certificate received from the remote server has not validated correctly. The error code is 0x80090328. The SSL connection request has failed. The attached data contains the server certificate.

Error Code 0x80090328 = SEC_E_CERT_EXPIRED (Certificate is expired).

When the server receives a new certificate from the CA (Certification Authority) to replace the expired certificate, the above problem continues to occur.

This behavior occurs because LDAP caches the certificate on the server. It will continue to use the cached certificate until you shutdown and restart the server.

NOTE: See System Event ID 36876 when using LDAP SSL query of the Active Directory.

NOTE: See Clients cannot authenticate with a server after you obtain a new certificate to replace an expired certificate on the server.