Domino on Linux/Unix, Troubleshooting, Best Practices, Tips and more ...

    Secure LDAP to Active Directory fails with Domino 9.0.1 FP5 IF1 and higher

    Daniel Nashed  27 July 2016 08:21:25

    Domino  9.0.1 FP5 IF1 adds support for the Extended Master Secret Extension with TLS 1.2.

    Windows 2008 R2 does only supports TLS 1.0 but still sends the Extended Master Secret Extension in the server helo.
    Domino fails to connect because once this is offered Domino wants to use it.

    There is a work-around to disable this new functionality globally on the server via notes.ini

    SSL_DISABLE_EXTENDED_MASTER_SECRET=1

    This is just a work-around and the real fix would be that Microsoft provides  a fix for Win 2008 R2 to not send the extension with the helo.
    Later versions do support TLS 1.2 and do not have the issue.


    See the following technote for details -> http://www.ibm.com/support/docview.wss?uid=swg21987608

    -- Daniel


    • [IBM Lotus Domino]
    • [Domino on Linux]
    • [Nash!Com]
    • [Daniel Nashed]