We believe the problem is matching the TLS_CIPHER_SUITE line in the ldap.conf file with the cipher suite on the AD server. The pertinent output of the 'openssl s_client -showcerts -host hostname -port 636' command is.....
SSL-Session:
Protocol : TLSv1.2
Cipher : ECDHE-RSA-AES256-SHA384
The error log follows.....
12-02-2016 13:34:34.407 DEBUG ExecProcessor - PipelineSet 0: Created new ExecedCommandPipe for ""D:\Program Files\Splunk\bin\splunk-powershell.exe" --ps2", uniqueId=32
12-02-2016 13:34:34.537 WARN ScopedLDAPConnection - strategy="NAME" Bind took longer than seems reasonable (20005 milliseconds). Might indicate slow ldap server.
12-02-2016 13:34:34.537 ERROR ScopedLDAPConnection - strategy="NAME" Error binding to LDAP. reason="Can't contact LDAP server"
12-02-2016 13:34:34.537 DEBUG ScopedLDAPConnection - strategy="NAME" Successfully performed unbind
12-02-2016 13:34:34.537 ERROR AdminHandler:AuthenticationHandler - strategy="EPA" Error binding to LDAP. reason="Can't contact LDAP server"
12-02-2016 13:34:34.537 DEBUG HTTPServer - GET PARAMS: { }, POST PARAMS: { groupNameAttribute:cn, timelimit:15, bindDNpassword:********, sizelimit:30000, groupBaseDN:OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted;OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, network_timeout:20, userBaseFilter:, nestedGroups:0, realNameAttribute:cn, userNameAttribute:samaccountname, groupMappingAttribute:dn, emailAttribute:mail, port:636, groupBaseFilter:, bindDN:CN=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, order:1, userBaseDN:OU=redacted,DC=redacted,DC=redacted,DC=redacted,DC=redacted, dynamicGroupFilter:, dynamicMemberAttribute:, SSLEnabled:1, host:HOSTNAME, groupMemberAttribute:member, anonymous_referrals:1}
12-02-2016 13:34:34.537 INFO UserManager - Unwound user context: edward.wienholt -> NULL
12-02-2016 13:34:34.537 DEBUG InThreadActor - this=0000009117559BC0 waitForActorToComplete start actor=0000009123AAF720
12-02-2016 13:34:34.537 DEBUG InThreadActor - this=0000009117559BC0 waitForActorToComplete end actor=0000009123AAF720
12-02-2016 13:34:34.577 DEBUG ExecProcessor - PipelineSet 0: Got EOF from ""D:\Program Files\Splunk\bin\splunk-admon.exe"", uniqueId=29
12-02-2016 13:34:34.577 DEBUG Queue - insertAndClear: [success] loop count 0
12-02-2016 13:34:34.591 DEBUG Queue - insertAndClear: [success] loop count 1
12-02-2016 13:34:34.592 DEBUG EventLoop - Inside EventLoop::run() for thread=TcpChannelThread
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=00000091193D1018 waitForActorToComplete start actor=0000009125F0F730
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=00000091193D1018 waitForActorToComplete end actor=0000009125F0F730
12-02-2016 13:34:34.593 DEBUG UiPythonFallback - Decremented in-flight request count to 0 for appserver process at http://127.0.0.1:8065
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=000000911DC43AF8 waitForActorToComplete start actor=0000009125F0FB30
12-02-2016 13:34:34.593 INFO WebUiAccess - 134.67.234.22 - edward.wienholt [02/Dec/2016:13:34:14.035 -0500] "POST /en-US/manager/hp_cde_monitoring/authentication/providers/LDAP/EPA HTTP/1.1" 200 174 "https://v18h1n-splunk.aa.ad.epa.gov:8000/en-US/manager/hp_cde_monitoring/authentication/providers/LDAP/EPA?action=edit&ns=system&uri=%2FservicesNS%2Fnobody%2Fsystem%2Fauthentication%2Fproviders%2FLDAP%2FNAME" "Mozilla/5.0 (Windows NT 6.3; WOW64; Trident/7.0; rv:11.0) like Gecko" - 8b17eb96e566643402e6edd741fa86ea 20558ms
12-02-2016 13:34:34.593 DEBUG InThreadActor - this=000000911DC43AF8 waitForActorToComplete end actor=0000009125F0FB30
... View more