question

jalvarezv avatar image
0 Votes"
jalvarezv asked ·

AAD DS LDAPS cannot connect

Hello,

I'm trying to get AAD DS LDAPS working for me, I'm not really interested in the vnet side of the services, but the public IP LDAPS.

I followed the guide:

https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps

but LDAP.exe states it cannot connect:

ld = ldap_sslinit("ldaps.gain-i.com", 636, 1); Error <0x51> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, LDAP_VERSION3); Error <0x51> = ldap_connect(hLdap, NULL); Server error: <empty> Error <0x51>: Fail to connect to ldaps.gain-i.com.

The certificate is self signed as stated in the guide and the ip and host name has been added to the host file. The cert as stated in the guide is a wildcard for the domain.

Rules are fine on the NSG and Test-NetConnection comes back true to port 636.

azure-ad-domain-services
· 1
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

JamesHamil-MSFT avatar image JamesHamil-MSFT ·

Hi @jalvarezv , we are looking into this and expect to have a solution shortly. Sorry for the delay!

Best,
James

0 Votes 0 ·

1 Answer

JamesHamil-MSFT avatar image
0 Votes"
JamesHamil-MSFT answered ·

Hi @jalvarezv ,

Jason from our team recommends you try from the VNET to confirm it isn't networking.

The name needs to match the AADDS DNS name for the subject name match. Just to clarify this a bit, we would like you to work through the different aspects of getting the connection:

1) configuring the domain controller,
2) configuring the client,
3) networking, and
4) establishing the TLS session.

For configuration, the DC will use the ADDS domain name (not the AAD domain name) for looking in its cert store for the certificate. For the most part, we orchestrate putting the certificate in the right place and let Windows Server do its thing. So there can’t be any spelling mistakes of the DC won’t select the certificate. The client attempts to establish the TLS connection using the name provided by the customer. So the traffic needs to get all the way through. The DC sends the public key of the server auth cert. The cert needs to have the right usage in the certificate, the name signed in the subject name must be compatible for the client to trust that the server is the DNS name which you’re connecting to (ie wildcard is good enough and no spelling mistakes), and the client must trust the issuer. Problems in that chain will be logged in the SCHANNEL logs of the client (System?). Once those pieces are in place they form a session key. I’m assuming you aren't trying a client auth over SSL. That would complicate the issue.

We hope this helps. If so, please mark the answer as "Verified" so other users may reference it.

Thank you,
James

·
10 |1000 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.