You think you have it all figured out until MegaCorp walks in with an Active Directory system that originated as a "Windows NT Domain Controller" and still can't handle TLS properly.