topic Re: Unable to read rootDSE Error (LDAPs to Microsoft AD) in Network Security

Unable to read rootDSE Error (LDAPs to Microsoft AD)

latenaite2011 — Fri, 21 Feb 2020 16:09:37 GMT

Does anyone know how to fix this error below:

[-2147483518] Session Start
[-2147483518] New request Session, context 0x00007f8c52c4f7e8, reqType = Authentication
[-2147483518] Fiber started
[-2147483518] Creating LDAP context with uri=ldap://x.x.x.x:636
[-2147483518] Connect to LDAP server: ldap://x.x.x.x:636, status = Successful
[-2147483518] Unable to read rootDSE. Can't contact LDAP server.

I tried following this URL, https://paulgporter.net/2013/01/03/cisco-asa-ldap-ssl/, but it is not working and the URL is for OpenLDAP and not Microsoft LDAPs.

I followed this step when configuring LDAPs on the Microsoft Server:

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/

Thanks!

Re: Unable to read rootDSE Error (LDAPs to Microsoft AD)

lisa1800 — Fri, 15 Mar 2019 21:12:27 GMT

I know this post is old, but I had a similar problem -- shows the 'Connect to LDAP Server... ' as successful, but fails with the 'Unable to read rootDSE.' error.

In my case I was missing the 'ldap-over-ssl enable' on my LDAPS aaa-server profile.

Re: Unable to read rootDSE Error (LDAPs to Microsoft AD)

lisa1800 — Fri, 15 Mar 2019 21:13:07 GMT

I know this post is old, but I had a similar problem -- shows the 'Connect to LDAP Server... ' as successful, but fails with the 'Unable to read rootDSE.' error.

In my case I was missing the 'ldap-over-ssl enable' on my LDAPS aaa-server profile.

Re: Unable to read rootDSE Error (LDAPs to Microsoft AD)

j.a.m.e.s — Mon, 21 Nov 2022 19:05:15 GMT

I know this is an old post, but I've hit it a few times and every time "Unable to read rootDSE" combined with the use of LDAPs turned out to be the ASA unable to reach the CRL service associated with the certificate coming back from the LDAPs server.

These debugs helped me:

debug ldap 255 - not that useful. Just showed "Unable to read rootDSE"
debug crypto ca 14 - showed the SSL negotiation, including the CRL checks
capture CAP1 interface inside match tcp any any eq 636 THEN copy /pcap capture CAP1 ... - showed the Domain Controller issuing a ServerHello so presumably it was happy with the ASA ciphers

I'm sure there are other reasons for "Unable to read rootDSE", but the above debugs will narrow it down.

Re: Unable to read rootDSE Error (LDAPs to Microsoft AD)

tfs128 — Thu, 08 Jun 2023 18:17:51 GMT

Error can be caused by cert verification failing due to weak algorithms: "crypto ca permit-weak-crypto" would override that check

Re: Unable to read rootDSE Error (LDAPs to Microsoft AD)

grrr — Fri, 20 Mar 2026 20:20:42 GMT

Thank you very much. Debugging the crypto ca 14 showed me the problem. The DC was presenting a cert signed by the default Windows Server CA, rather than the one generated by their PKI CA root which they had exported to me.

Thanks again!