find the client responsible for the schannel ldap error

active-directory schannel

Built-in you can't find easily the source of the message.

You need tcpdump, microsoft network monitor or wireshark to find the machine causing the error. (many thread told the same, there, there or there (See in the comment the answer to George about tcpdump))


If you are able to capture the traffic flowing to DC for analysis then you can use Wireshark's packet search to find certificates being presented.

This wireshark filter looks for certificate exchange and filters out anything issued by "LDAP SSL test", this would allow you to find certs not issued by your domain.

(ssl.handshake.type == 11) && !(x509sat.uTF8String == "LDAP SSL test")

I don't have an AD example to work on so that is using a standard LDAP over TLS pcap from the wireshark samples page.

Related

Two Ubuntu VM types on AWS - what's the difference?
How to add new persistent disk without rebooting the server?
Entering local admin username and password in a script
Simple solution to get notification when certain events appear in Windows logs [closed]
What triggers the usage of the negative time to live DNS SOA record value?
Does order of lines matter in Nginx?
Does a raid controller use cache in JBOD mode?
InnoDB: The innodb_system data file 'ibdata1' must be writable
How to restrict unauthorized domains pointing to my website's IP address
Are there any established patterns for installing a kill or on/off switch for user cron jobs?
Offline uncorrectable sectors in SSDs being used for ZFS L2ARC?
What exactly is a "transparent reverse proxy"?