IDP authentication problems with Server 2012

Chris Phillips Chris.Phillips at
Tue May 20 09:35:49 EDT 2014

Yes, but not just ADsvr2012, AD in general.

One thing to check is the certificate you have and what each of the DCs offer for the handshake.

They may offer different certs and one may not be in your java keystore of the IdP.
Also ensure the DNS resolution is what you expect it to be. 
Do you override /etc/hosts? Do the pair of DC's respond to the same name?

Jacking up the log level for LDAP in the IdP will also highlight some of this too.

Using openssl you can quickly eyeball the chain to check:

openssl s_client -showcerts -connect



On 2014-05-20, at 8:59 AM, Tim Larson wrote:

> Has anyone experience problems connecting the Shibboleth IDP to Active Directory running on Server 2012?
> We are running the Shibboleth 2.40 IDP and trying to authenticate against a Server 2012 Domain Controller.  The exact same configuration works fine when connecting to a Server 2008 Domain controller in the same AD Domain.  We are connecting on the global catalog port 3269, but have tried the LDAP ports as well.
> Does anyone know of any services that changed with 2012 or levels of encryption supported that may be causing problems with authenticating against this version of Active Directory?
> Tim Larson
> University of Central Florida
> --
> To unsubscribe from this list send an email to users-unsubscribe at

-------------- next part --------------
An HTML attachment was scrubbed...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
Url : 

More information about the users mailing list