LDAP Test Connection Fails with 'Certificate Revocation Validation Failure' ErrorIssue <!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } Navigate to LDAP Servers, open the active affected server, and click Test Connection. The error 'ldaps://dlvmdcrche01.ad.diligenta.co.uk:636/ Certificate revocation validation failure' appears. Release<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } ALL Cause<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } -Identify the Midserver associated with the affected LDAP server-Navigate to the affected MID Server record.-Under Configuration Parameters, create the debug property mid.log.level with value DEBUG.-Click Grab the Agent Logs from the related links.-Go to the LDAP server and replicate the issue by clicking Test Connection.-Navigate to the ECC Queue.-Locate the agent0.log0 file for the MID Server or You can find this in the Agent Logs related list on the MID Server record.-Find the output record in the ecc queue corresponding to the time of issue replication.-Copy the sys_id from the output record and search it in the agent0.log0 file.-Review the transaction logs in the agent logs. You will observe errors such as: ERROR (Worker-Expedited:LDAPConnectionTesterProbe-381197e02bfb6210de3fff32ce91bfce) [DebugLogger:36] LDAP API - LDAPLogger : javax.net.ssl.SSLHandshakeException: Certificate revocation validation failure
javax.naming.CommunicationException: dlvmdcrche01.ad.diligenta.co.uk:636 [Root exception is javax.net.ssl.SSLHandshakeException: Certificate revocation validation failure]-When using a MID Server for an SSL connection (HTTPS or LDAPS), the connection may fail with "Certificate revocation validation failure" even though the certificate is valid and not revoked.-Disabling the certificate revocation policy for the MID Server (ServiceNow docs) allows the connection to establish as expected.-The certificate is issued by an internal Certificate Authority running on Microsoft Active Directory Certificate Services.-The MID Server validates certificate revocation status using the OCSP protocol and includes a security feature called the nonce extension (as defined in RFC 2560). Since Microsoft Active Directory Certificate Services does not support this extension by default, it returns UNAUTHORIZED for checks that require the nonce extension. Resolution<!-- /*NS Branding Styles*/ --> .ns-kb-css-body-editor-container { p { font-size: 12pt; font-family: Lato; color: #000000; } span { font-size: 12pt; font-family: Lato; color: #000000; } h2 { font-size: 24pt; font-family: Lato; color: black; } h3 { font-size: 18pt; font-family: Lato; color: black; } h4 { font-size: 14pt; font-family: Lato; color: black; } a { font-size: 12pt; font-family: Lato; color: #00718F; } a:hover { font-size: 12pt; color: #024F69; } a:target { font-size: 12pt; color: #032D42; } a:visited { font-size: 12pt; color: #00718f; } ul { font-size: 12pt; font-family: Lato; } li { font-size: 12pt; font-family: Lato; } img { display: ; max-width: ; width: ; height: ; } } 1)You can disable revocation policies here: https://XXXX.service-now.com/mid_cert_check_policy_list.do?sysparm_query=& ;sysparm_view=- By disabling revocation policies, you can prevent the system from checking the revocation status of certificates, which may resolve issues related to certificate validation.There are also two alternate solutions: 2)Please enable nonce extension support in the Microsoft system as explained in https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-ocsp/a720a740-4b32-4051-9cb6-324390d02602 -This involves configuring the Microsoft system to support the nonce extension, which is a crucial step in ensuring that the certificate validation process is successful.3)Use a public certificate for the endpoint. Since public certificate authorities support the nonce extension, the MID server will be able to verify the certificate. - KB : https://support.servicenow.com/kb?id=kb_article_view&sysparm_article=KB1209228