question

TomMason-6030 avatar image
1 Vote"
TomMason-6030 asked TomMason-6030 answered

Azure ADDS (Active Directory Domain Services) - LDAPS Channel Binding

Hi,

Have configured a new instance of Azure Active Directory Domain services.

I have also set up LDAPS, reset my users passwords and tested the solution using the LDP.exe tool.

I have an application that i know does not support LDAPS channel binding.

On physical domain controllers i know we can disable this using the registry.


How can i tell if LDAPS Channel binding is enabled or enforced on my Azure ADDS instance?

Is there a way can disable Channel Binding on the Azure ADDS instance?


windows-active-directoryazure-ad-domain-services
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

3 Answers

LeilaKong-MSFT avatar image
0 Votes"
LeilaKong-MSFT answered

Hi @TomMason-6030 ,

Thanks for your query.

By default, secure LDAP access to your managed domain is disabled. You can check the following tutorial for reference:
https://docs.microsoft.com/en-au/azure/active-directory-domain-services/tutorial-configure-ldaps

200205-enable-secure-ldap.png


Best regards,
Leila

If the Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.





enable-secure-ldap.png (98.0 KiB)
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

TomMason-6030 avatar image
0 Votes"
TomMason-6030 answered LeilaKong-MSFT commented

Hi,

Yes, I'm aware that you can enable secure LDAP.
As I have stated above I have already configured this and tested it.

My question is;

Is LDAPS channel binding required using the Azure-ADDS solution?

· 1
5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

LeilaKong-MSFT avatar image LeilaKong-MSFT ·

Hi @TomMason-6030 ,

Thanks for your response.

LDAPS channel binding is not enforced for Azure AD DS. You may change to Disable under Secure LDAP.
Using LDAP with Azure AD DS is the only method to connect LDAP to Azure and it’s a tenuous one at best. It does not allow for full utilization of LDAP or Azure features, so it’s really just a bandaid for organizations too stubborn to rework their network infrastructure.
https://www.securew2.com/blog/use-azure-ad-ldap

Please Note: Since the web site is not hosted by Microsoft, the link may change without notice. Microsoft does not guarantee the accuracy of this information.

1 Vote 1 ·
TomMason-6030 avatar image
0 Votes"
TomMason-6030 answered

Thankyou, kindly for getting back to me.
After further investigation of the software in question.
I found that channel binding was not the issue and support for MD5-DIGEST SASL bind was not working as expected.

I assume this is not support on Azure ADDS (It works normally for standard domain controllers)

I've managed to implement a workaround for now using Simple Bind over LDAPS.

5 |1600 characters needed characters left characters exceeded
Toggle Comment visibility. Current Visibility: Visible to all users

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.