question

DimitarPeev-0341 avatar image
0 Votes"
DimitarPeev-0341 asked DimitarPeev-0341 answered

LDAPS setup failing with a general error

Hey everyone,

Trying to setup Azure AD DS LDAPS using this article with a self-signed certificate.
I have tried different password and export encryption for the PFX file and I am getting the error "Failed to configure secure LDAP for domain.com. Please check Activity log for more detail."

However, there is 0 information about the error in the Activity Logs.
I even enabled an additional log collection and there are simply no logs of this activity at all.

Any tips? Is password hash sync a prerequisite for LDAPS? I would prefer not to sync on-prem pass hashes and only use one cloud-only account (whose password should already be synced) to serve data to another service.


Any tips appreciated.

azure-ad-domain-services
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

eringreenlee avatar image
0 Votes"
eringreenlee answered

Noted about the activity log details -- that is misleading and we should fix that :)

For the cert upload problem, it's hard to say what is going wrong without knowing more specifically about your certificate and domain name. I suggest opening up a support case for assistance with that.

For your second question -- short answer is yes and no, hehe. If you expect any on-prem user to use LDAPs in any way, you need password hash sync. Since you are using only cloud users for LDAP turning on password hash sync will not be necessary, but I would say that your scenario is pretty unique. For you I would also recommend configuring scoped-sync to sync only that user into AAD-DS to avoid syncing unnecessary objects into AAD-DS.

However, if you are already syncing on-prem passwords into AAD using AAD Connect, when you turn on AAD-DS the password hashes we use for AAD-DS WILL sync to AAD. This goes for all passwords being synced regardless of whether or not the user is synced to AAD-DS. If you do not already sync passwords then you do not need to do so if you plan to use only your cloud account.

Erin Greenlee
Program Manager
Azure AD Domain Services

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

DimitarPeev-0341 avatar image
0 Votes"
DimitarPeev-0341 answered

Hey Erin, thanks for the information and answers!

Since we're using a sub with no tech support, I decided to see if there really is no place to check the error. :)
The cert is a self-signed one (since our *.domain external cert is uh... well hard to obtain), made exactly as the article says and the domain is not the onmicrosoft one, it's our company domain. Tried several encryption algorithms for the export, long and short passwords and nothing works.

Could you guys enhance the errors somehow and expose them to us?

As for the password sync - is there a way to actually check if passwords are synced when ADDS is concerned?
We had AAD Connect setup for quite a while with PW Hash Sync, DS is something new that we've added and the hint to "enable password sync" is there from the get-go and still there.
So if there is some way to check PW Hash sync to ADDS, then perhaps it should do it on its own and not ask me to set up sync.

In any case, the plan is to only have 1 cloud-only account to access the LDAPs on the DS instance.

5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.