Issue with certificate for Secure LDAP

Samuele Ghilardi 0 Reputation points
2023-03-17T10:46:25.65+00:00

Hello

I'm trying to configure AAD Domain Services with LDAPS for a POC.

My certificate is not recognized as valid with reporting a mismatching between DNS name and Subject Name.
I'm using a certificate issued by a CA and all the requisites seems correctly set.

I have the same error also using a self-signed certificate for the same domain.

Please what should I also check?

Thank you

Regards

Details:

Error:

Failed to configure secure LDAP for gate.datatex.com. The certificate’s subject does not match the managed domain name. A wildcard certificate that is valid for you domain is required to configure secure LDAP.

DNS : gate.datatex.com

 Signature Algorithm: sha256WithRSAEncryption
        Issuer: C = GB, ST = Greater Manchester, L = Salford, O = Sectigo Limited, CN = Sectigo RSA Domain Validation Secure Server CA
        Validity
            Not Before: Jan 12 00:00:00 2023 GMT
            Not After : Feb 12 23:59:59 2024 GMT
        Subject: CN = *.datatex.com

[ ... ]


Certificate purposes:
SSL client : Yes
SSL client CA : No
SSL server : Yes
SSL server CA : No
Netscape SSL server : Yes
Netscape SSL server CA : No
S/MIME signing : No
S/MIME signing CA : No
S/MIME encryption : No
S/MIME encryption CA : No
CRL signing : No
CRL signing CA : No
Any Purpose : Yes
Any Purpose CA : Yes
OCSP helper : Yes
OCSP helper CA : No
Time Stamp signing : No
Time Stamp signing CA : No
X509v3 Key Usage: critical
    Digital Signature, Key Encipherment
X509v3 Extended Key Usage:
    TLS Web Server Authentication, TLS Web Client Authentication

Microsoft Entra
{count} votes

3 answers

Sort by: Most helpful
  1. cthivierge 4,056 Reputation points
    2023-03-17T13:09:43.9+00:00

    This may help you

    https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps#create-a-certificate-for-secure-ldap

    • Subject name - The subject name on the certificate must be your managed domain. For example, if your domain is named aaddscontoso.com, the certificate's subject name must be *.aaddscontoso.com.
      • The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
    0 comments No comments

  2. Samuele Ghilardi 0 Reputation points
    2023-03-17T13:41:21.6666667+00:00

    Hello

    Resolved, was a misunderstanding about the name of the services.

    When the DNS is configured must be defined with the domain not the name of the exposed public service.

    So the service must be contoso.com and the certificate will be for *.contoso.com , the public services will ldaps.contoso.com

    Is not possible to choose the service name.

    Thank you

    Regards

    0 comments No comments

  3. Givary-MSFT 32,581 Reputation points Microsoft Employee
    2023-04-19T07:29:35.16+00:00

    @Samuele Ghilardi I'm glad that you were able to resolve your issue and thank you for posting your solution so that others experiencing the same thing can easily reference this! Since the Microsoft Q&A community has a policy that "The question author cannot accept their own answer. They can only accept answers by others ", I'll repost your solution in case you'd like to "Accept " the answer.

    Issue: My certificate is not recognized as valid with reporting a mismatching between DNS name and Subject Name.
    I'm using a certificate issued by a CA and all the requisites seems correctly set. I have the same error also using a self-signed certificate for the same domain.

    Resolution: Resolved by (@Samuele Ghilardi ) Resolved, was a misunderstanding about the name of the services. When the DNS is configured must be defined with the domain not the name of the exposed public service. So the service must be contoso.com and the certificate will be for *.contoso.com , the public services will ldaps.contoso.com Is not possible to choose the service name.

    0 comments No comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.