Failure to "decode as" for LDAPS

edit

Yes I checked, as you can see from the image, Wireshark identifies by himself the Application Data Protocol. The packet view is always the same regardless of the "decode as" setting

As you can see, that field has "[]" around the name, this indicates its synthesized by Wireshark and can be set by a number of methods, often because of the port the TLS session is running on. This does not indicate a successful decryption.

You should configure Wireshark to create a TLS debug file (TLS preferences) and post that here.

I tried to create the TLS debug file, however the file is always empty. I'm using a "pre master secret log file" instead of RSA key list, could it be because of that?

What I can confirm is that I see the Client Random of the particular connection in the sslkeys file. I can also see that the TLS handshake contains the Client Key Exchange and the Server Key Exchange. At the end of the stream I see an Encrypted Alert, suggesting that the stream is indeed not decrypted - which sounds weird to me.

There are additional encrypted HTTPS stream on this capture, which are successfully decrypted. I have also validated the same as above.

I've never come across the TLS debug file not being created when required. The debug log doesn't care how the keying material is provided.

HTTPS isn't LDAPS. Are you capturing on the LDAP client, if so what application is making the connection to the LDAP server? If it's regular Windows apps or the OS, it's likely they're using SChannel for TLS which does NOT generate keying material for decryption.

The file is created, however no data is present. I'm capturing on a Netscaler, which can handle many types of protocols, like HTTPS and LDAP/LDAPS. So I have both protocols in the same capture, and also the keys for these connections. Note, I'm actually using the portable version of Wireshark, do you think that could have something to do with the debug file not outputing anything?