1,978 questions
Hi @Jorge Alvarez ,
Jason from our team recommends you try from the VNET to confirm it isn't networking.
The name needs to match the AADDS DNS name for the subject name match. Just to clarify this a bit, we would like you to work through the different aspects of getting the connection:
1) configuring the domain controller,
2) configuring the client,
3) networking, and
4) establishing the TLS session.
For configuration, the DC will use the ADDS domain name (not the AAD domain name) for looking in its cert store for the certificate. For the most part, we orchestrate putting the certificate in the right place and let Windows Server do its thing. So there can’t be any spelling mistakes of the DC won’t select the certificate. The client attempts to establish the TLS connection using the name provided by the customer. So the traffic needs to get all the way through. The DC sends the public key of the server auth cert. The cert needs to have the right usage in the certificate, the name signed in the subject name must be compatible for the client to trust that the server is the DNS name which you’re connecting to (ie wildcard is good enough and no spelling mistakes), and the client must trust the issuer. Problems in that chain will be logged in the SCHANNEL logs of the client (System?). Once those pieces are in place they form a session key. I’m assuming you aren't trying a client auth over SSL. That would complicate the issue.
We hope this helps. If so, please mark the answer as "Verified" so other users may reference it.
Thank you,
James
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(121.6, 70%, 21%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJ%3C/text%3E%3C/svg%3E)