Configure secure LDAP (LDAPS) for an Azure AD Domain Services managed domain

Before you begin

Ensure you've completed Task 2 - export the secure LDAP certificate to a .PFX file.

Task 3 - enable secure LDAP for the managed domain using the Azure portal

To enable secure LDAP, perform the following configuration steps:

  1. Navigate to the Azure portal.

  2. Search for 'domain services' in the Search resources search box. Select Azure AD Domain Services from the search result. The Azure AD Domain Services page lists your managed domain.

    Find managed domain being provisioned

  3. Click the name of the managed domain (for example, 'contoso100.com') to see more details about the domain.

    Domain Services - provisioning state

  4. Click Secure LDAP on the navigation pane.

    Domain Services - Secure LDAP page

  5. By default, secure LDAP access to your managed domain is disabled. Toggle Secure LDAP to Enable.

    Enable secure LDAP

  6. By default, secure LDAP access to your managed domain over the internet is disabled. Toggle Allow secure LDAP access over the internet to Enable, if desired.

    Warning

    When you enable secure LDAP access over the internet, your domain is susceptible to password brute force attacks over the internet. Therefore, we recommend setting up an NSG to lock down access to required source IP address ranges. See the instructions to lock down LDAPS access to your managed domain over the internet.

  7. Click the folder icon following .PFX file with secure LDAP certificate. Specify the path to the PFX file with the certificate for secure LDAP access to the managed domain.

  8. Specify the Password to decrypt .PFX file. Provide the same password you used when exporting the certificate to the PFX file.

  9. When you are done, click the Save button.

  10. You see a notification that informs you secure LDAP is being configured for the managed domain. Until this operation is complete, you cannot modify other settings for the domain.

    Configuring secure LDAP for the managed domain

Note

It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate has already expired or expires soon. In this case, retry with a valid certificate.


Task 4 - configure DNS to access the managed domain from the internet

Note

Optional task - If you do not plan to access the managed domain using LDAPS over the internet, skip this configuration task.

Before you begin this task, ensure you have completed the steps outlined in Task 3.

Once you have enabled secure LDAP access over the internet for your managed domain, you need to update DNS so that client computers can find this managed domain. At the end of task 3, an external IP address is displayed on the Properties tab in EXTERNAL IP ADDRESS FOR LDAPS ACCESS.

Configure your external DNS provider so that the DNS name of the managed domain (for example, 'ldaps.contoso100.com') points to this external IP address. For example, create the following DNS entry:

ldaps.contoso100.com  -> 52.165.38.113

That's it - you are now ready to connect to the managed domain using secure LDAP over the internet.

Warning

Remember that client computers must trust the issuer of the LDAPS certificate to be able to connect successfully to the managed domain using LDAPS. If you are using a publicly trusted certification authority, you do not need to do anything since client computers trust these certificate issuers. If you are using a self-signed certificate, install the public part of the self-signed certificate into the trusted certificate store on the client computer.

Task 5 - lock down secure LDAP access to your managed domain over the internet

Note

If you have not enabled LDAPS access to the managed domain over the internet, skip this configuration task.

Before you begin this task, ensure you have completed the steps outlined in Task 3.

Exposing your managed domain for LDAPS access over the internet represents a security threat. The managed domain is reachable from the internet at the port used for secure LDAP (that is, port 636). Therefore, you can choose to restrict access to the managed domain to specific known IP addresses. For improved security, create a network security group (NSG) and associate it with the subnet where you have enabled Azure AD Domain Services.

The following table illustrates a sample NSG you can configure, to lock down secure LDAP access over the internet. The NSG contains a set of rules that allow inbound secure LDAP access over TCP port 636 only from a specified set of IP addresses. The default 'DenyAll' rule applies to all other inbound traffic from the internet. The NSG rule to allow LDAPS access over the internet from specified IP addresses has a higher priority than the DenyAll NSG rule.

Sample NSG to secure LDAPS access over the internet

More information - Network security groups.


Troubleshooting

If you have trouble connecting to the managed domain using secure LDAP, perform the following troubleshooting steps:

  • Ensure that the issuer chain of the secure LDAP certificate is trusted on the client. You may choose to add the Root certification authority to the trusted root certificate store on the client to establish the trust.
  • Verify that the LDAP client (for example, ldp.exe) connects to the secure LDAP endpoint using a DNS name, not the IP address.
  • Verify the DNS name the LDAP client connects to resolves to the public IP address for secure LDAP on the managed domain.
  • Verify the secure LDAP certificate for your managed domain has the DNS name in the Subject or the Subject Alternative Names attribute.
  • If you are connecting via secure LDAP over the internet, ensure the NSG settings for the virtual network allow the traffic to port 636 from the internet.

If you still have trouble connecting to the managed domain using secure LDAP, contact the product team for help. Include the following information to help diagnose the issue better:

  • A screenshot of ldp.exe making the connection and failing.
  • Your Azure AD tenant ID, and the DNS domain name of your managed domain.
  • Exact user name that you are trying to bind as.