Hello all.

We have configured clientless SSL WebVPN portal access on an ASA5525 using LDAP authentication with an AD server. Everything is fine until we enable LDAP over SSL to allow users to change an expired password. They just get login error everytime even if their password is OK.

The systems team have installed the necessary certificate on the AD server.

In the ASDM log I get

AAA Marking LDAP server joffrey.pcmtu.keele.ac.uk in aaa-server group CTU_LDAP04 as FAILED
AAA Marking LDAP server 172.16.0.10 in aaa-server group CTU_LDAP04 as ACTIVE

On the ASA, I get the following debug ldap 255

[50] Session Start
[50] New request Session, context 0x00007fffddc99a60, reqType = Authentication
[50] Fiber started
[50] Creating LDAP context with uri=ldaps://172.16.0.10:636
[50] Connect to LDAP server: ldaps://172.16.0.10:636, status = Failed
[50] Unable to read rootDSE. Can't contact LDAP server.
[50] Fiber exit Tx=0 bytes Rx=0 bytes, status=-2
[50] Session End

On the AD server, the systems team report TLS Fatal Alert Code 48 which is . . .

Received a valid certificate chain or partial chain, but the certificate was not accepted because the CA certificate could not be located or could not be matched with a known, trusted CA. This message is always fatal.

Can anyone shed some light on where we need to look.

Thanks. Richard.