Azure AD Domain Services - Troubleshooting Secure LDAP configuration
This article provides resolutions for common issues when configuring secure LDAP for Azure AD Domain Services.
AADDS101: Secure LDAP Network Security Group configuration
Secure LDAP over the internet is enabled for the managed domain. However, access to port 636 is not locked down using a network security group. This may expose user accounts on the managed domain to password brute-force attacks.
Secure LDAP port
When secure LDAP is enabled, we recommend creating additional rules to allow inbound LDAPS access only from certain IP addresses. These rules protect your domain from brute force attacks that could pose a security threat. Port 636 allows access to your managed domain. Here is how to update your NSG to allow access for Secure LDAP:
- Navigate to the Network Security Groups tab in the Azure portal
- Choose the NSG associated with your domain from the table.
- Click on Inbound security rules
- Create the port 636 rule
- Click Add on the top navigation bar.
- Choose IP Addresses for the source.
- Specify the Source port ranges for this rule.
- Input "636" for Destination port ranges.
- Protocol is TCP.
- Give the rule an appropriate name, description, and priority. This rule's priority should be higher than your "Deny all" rule's priority, if you have one.
- Click OK.
- Verify that your rule has been created.
- Check your domain's health in two hours to ensure that you have completed the steps correctly.
AADDS502: Secure LDAP certificate expiring
The secure LDAP certificate for the managed domain will expire on [date]].
Create a new secure LDAP certificate by following the steps outlined in the Configure secure LDAP article.
Contact the Azure Active Directory Domain Services product team to share feedback or for support.