Issue with certificate for Secure LDAP

Samuele Ghilardi 0 Reputation points


I'm trying to configure AAD Domain Services with LDAPS for a POC.

My certificate is not recognized as valid with reporting a mismatching between DNS name and Subject Name.
I'm using a certificate issued by a CA and all the requisites seems correctly set.

I have the same error also using a self-signed certificate for the same domain.

Please what should I also check?

Thank you




Failed to configure secure LDAP for The certificate’s subject does not match the managed domain name. A wildcard certificate that is valid for you domain is required to configure secure LDAP.


 Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
            Not Before: Jan 12 00:00:00 2023 GMT
            Not After : Feb 12 23:59:59 2024 GMT
        Subject: CN = *

[ ... ]

Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication

Azure Active Directory Domain Services
{count} votes

2 answers

Sort by: Most helpful
  1. cthivierge 3,896 Reputation points

    This may help you

    • Subject name - The subject name on the certificate must be your managed domain. For example, if your domain is named, the certificate's subject name must be *
      • The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
  2. Samuele Ghilardi 0 Reputation points


    Resolved, was a misunderstanding about the name of the services.

    When the DNS is configured must be defined with the domain not the name of the exposed public service.

    So the service must be and the certificate will be for * , the public services will

    Is not possible to choose the service name.

    Thank you