Confirming a Domain Controller has a working LDAPS configuration
This article explains how to ensure an AD Domain controller has a working LDAPS configuration.
Why PxM Needs LDAPS
In order for PxM to communicate with Active Directory domain controllers, PxM needs to connect using LDAPS.
Using LDAPS is a Microsoft restriction. Over LDAP you can not change the password of an Active Directory account or create a new Active Directory account.
This can only be done over LDAPS, hence PxM requires LDAPS connectivity.
Domain Controller Default
By default Domain Controller(s) listen over LDAP but not LDAPS.
They do however still have an active socket listening on the LDAPS port (TCP 636) but by default this does not function correctly.
To function correctly the Domain Controller(s) require a certificate (with ‘Server Authentication’ enabled) to be installed.
This happens automatically for all Domain Controllers if there is a Microsoft Certificate Authority role installed somewhere in the domain and it is configured with an Enterprise Root certificate.
Just checking to see if a Domain Controller is listening on the LDAPS port (TCP 636) is not sufficient to confirm LDAPS is working.
To verify LDAPS on a domain controller has been configured and is functioning correctly, perform the following steps on each Domain Controller that PxM will need to communicate with:
- RDP onto the Domain Controller
- Open the Run dialogue box and run the application: ldp.exe or ldp for short
- When LDP opens, go to the Connection menu and click on Connect..
- Fill in the ‘Connect’ dialogue box as shown below.
- Click OK.
- If the server is correctly configured for LDAPS then line 5 of the output (you might need to scroll up) will show that the host supports SSL, like this:
- If the host is NOT configured for LDAPS then Ldp will show the following. This means PxM won’t be able to communicate with that Domain Controller: