Unable to enable LDAPS on AzureADDS

azaddsuser007 1 Reputation point
2020-10-14T20:00:26.627+00:00

My Azure Subscription ID: 1f30a42d-6326-4c15-8d06-bf9275b52da1

Created AADDS and when trying to enable LDAPS I am getting an error about the Subject on Certificate. My domain name is taravindkumar.onmicrosoft.com and the certificate I am trying to upload has the name.

Public certificate is:
cat publiccert.pem Bag Attributes localKeyID: 01 00 00 00 1.3.6.1.4.1.311.17.3.71: 68 00 79 00 62 00 72 00 69 00 64 00 65 00 78 00 63 00 68 00 31 00 36 00 2E 00 51 00 41 00 2D 00 41 00 44 00 2E 00 6E 00 65 00 74 00 63 00 69 00 74 00 61 00 64 00 65 00 6C 00 2E 00 63 00 6F 00 6D 00 00 00 subject=/CN=.onmicrosoft.com issuer=/CN=.onmicrosoft.com -----BEGIN CERTIFICATE----- MIIDdzCCAl+gAwIBAgIQd6h4JS5dG7dPlt3dv3zoBjANBgkqhkiG9w0BAQUFADAc MRowGAYDVQQDDBEqLm9ubWljcm9zb2Z0LmNvbTAeFw0yMDEwMTQxODM2MTBaFw0y MTEwMTQxODQ2MTBaMBwxGjAYBgNVBAMMESoub25taWNyb3NvZnQuY29tMIIBIjAN BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA5jVv8i1DqbkTisw9u5OEa0zTy1YY ru+NMbMJ1QtVjjD3Nn3cB1DHV2JAAAZ9TIoZSwuCenZn450k+MYH7szeIHuskfBm 8fGbcolsPJT1m8v7di4bDOna9NjeGWbxe5wnJjT5X1XxAUMHD1D6gKZmEZMn5N8Y fs80ud0icPMGB0Tx+TpWJxsJ8AE4qHOk7vtuPGchrofNBvvtwrF4ipfMNs6wizvG Xg44Rmbg0EEWwZBj949hkmRAI55qY8R0rzzV44RfwbZAjwZOGq5/fp1s/eS2ijy5 Z3pR59zrRgt9rX5zS7wyQqH5lxyHk+Qbi0V8M6j3KE+f4J0Y9YfGoMKS4wIDAQAB o4G0MIGxMA4GA1UdDwEB/wQEAwIFoDAdBgNVHSUEFjAUBggrBgEFBQcDAgYIKwYB BQUHAwEwYQYDVR0RBFowWIIddGFyYXZpbmRrdW1hci5vbm1pY3Jvc29mdC5jb22C JHRhcmF2aW5ka3VtYXJvdXRsb29rLm9ubWljcm9zb2Z0LmNvbYIRKi5vbm1pY3Jv c29mdC5jb20wHQYDVR0OBBYEFMOZJiXhxcUH8bvCxbMC/hJvemUkMA0GCSqGSIb3 DQEBBQUAA4IBAQDi5HKF+NIBhbO0PAZQ50EPJRWFqK6zjGACQmUDKai2epi98b/u EaIcgY88/dEghLX5yhnS0EcZM0EmA646TjwhZ4Bk9FRi6jkvfD2x1oROrG/+eGEb rcAo+dakjRopAsSXYZvSsutDCLRb1pbOkKhmukfgsPwYBsjaoXHHwdtqidlR2AJq bbmK1nx9dvwGnKhFiLbKbD3Bt/PEeywvtxsD3H3V2qNkXaiF4e8kDMtxUPCQa6Ph HRGhpOU42jB8jrqHbDQXArue5yMNdRNghdpk5BveOUcqSzScSKhfuhMcl61u5vin exoRNoLJE44bVKvN4gGcuTk1i4HMu4VN8hni -----END CERTIFICATE-----

Error received is:
Secure LDAP configuration failed. The certificate’s subject does not match the managed domain name. A wildcard certificate that is valid for you domain is required to configure secure LDAP.

As suggested by support engineer I even tried to use the dnsName as *.aaddsonmicrosoft.com and that failed with different error altogether like below:

Public certificate with dnsName as *.aaddsonmicrosoft.com

-----BEGIN CERTIFICATE----- MIIDWDCCAkCgAwIBAgIJANSC3KM5qSU7MA0GCSqGSIb3DQEBCwUAMCExHzAdBgNV BAMMFiouYWFkZHNvbm1pY3Jvc29mdC5jb20wHhcNMjAxMDE0MTkzODI4WhcNMjAx MTEzMTkzODI4WjAhMR8wHQYDVQQDDBYqLmFhZGRzb25taWNyb3NvZnQuY29tMIIB IjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA+Fqu+UosAX/WGbbPALAKLugb 8nl5VkRY1PtjDSCj1UUP7SOVYZFgesDodJCmV7yq81adH1RlVZNGuBPCaMRHZ9lc EwHeN2+4YlbkCXB4iokJx12GEEdRuslNGYz53nPP5QDfBeBS1Twt4jYUoaADbhw9 0b19CKMSq0PjRJDEGjkYRoTRrYCz96lIy4AUnc6zAqZ+EZsj9UoIZdVdfeWlt2kJ ELVi+OJ9Ys0IPST3wKwWLD+kFRkZV15FsSRpt9eMd4VnZ2/yNVEX77QS1a277Odi USEHCCW1jrTDYSn3BoEjpxkT+88PrIdPoEX5+dzbzfFax+wAj+6aaf87SHMM0QID AQABo4GSMIGPMAsGA1UdDwQEAwIEsDAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYB BQUHAwIwYQYDVR0RBFowWIIkdGFyYXZpbmRrdW1hcm91dGxvb2sub25taWNyb3Nv ZnQuY29tgh10YXJhdmluZGt1bWFyLm9ubWljcm9zb2Z0LmNvbYIRKi5vbm1pY3Jv c29mdC5jb20wDQYJKoZIhvcNAQELBQADggEBAOKF1kOXTLy9FlAM9urGNETh9eb9 FLCAmb3JEerladzVd5rP92K538Ccn8qdBSgaXS0PkgxfvOQvMFiUxeN5fnOntePT K9r8gCrWDUZOEnBT0LnX2cBXR/mMuU3in6zvc6NDJkjnqmZk765HU2h8e85ddx3M FtbVA6IPzbQNtsuNfOepvQiHU0TjSZIw7n8yFZTic0ra/P24KX1ozEHAoZODpRBW 7R/NIP0qQ4Cgcd95JZsGM4c3SsGGPHewJa+MAZ5KISIBbekD7Kq1RAAYUfJhnPLK 0Mm6aoBV3AwcTq3itoxgAHo94VkCvhOAStbLV0sJ1OZNeBlrzAXxygKhPu4= -----END CERTIFICATE-----

Error message with this new cert is:
Secure LDAP configuration failed. Please check Activity log for more detail.

Microsoft Entra
0 comments No comments
{count} votes

3 answers

Sort by: Most helpful
  1. Marilee Turscak-MSFT 32,551 Reputation points Microsoft Employee
    2020-10-15T00:26:44.98+00:00

    Ensure that you have checked the requirements for the secure LDAPs certificate:

    Trusted issuer - The certificate must be issued by an authority trusted by computers that need to connect to the domain using secure LDAP. This may be your organization's enterprise certification authority or a public certification authority trusted by these computers.

    Lifetime - The certificate must be valid for at least the next 3-6 months. This ensures that secure LDAP access to your managed domain is not broken when the certificate expires.

    Subject name - The subject name on the certificate must be a wildcard for your managed domain. For instance, if your domain is named 'contoso100.com', the certificate's subject name must be '*.contoso100.com'. The DNS name (subject alternate name) must also be set to this wildcard name.

    Key usage - The certificate must be configured for the following uses - Digital signatures and key encipherment.

    Certificate purpose - The certificate must be valid for SSL server authentication.

    It will take about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria (eg. the domain name is incorrect, the certificate is expired or expires very soon etc.), secure LDAP will not be enabled for your directory and you will see a failure.

    Also, make sure you have selected a Forest Type of Trust.

    0 comments No comments

  2. azaddsuser007 1 Reputation point
    2020-10-15T04:29:24.52+00:00

    Thanks for your response @MarileeTurscak I should I have mentioned that yes I followed what Azure docs on how to configure LDAPS @ https://learn.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-configure-ldaps

    Trusted issuer: I am using self signed certificate and I plan to add it to the trust store on my clients/client computers.
    Lifetime: Yes. It is 365 days valid cert.
    Subject name : *.onmicrosoft.com and added this to the DNSName/Subject Alt name on certs. (My AADDS domain name is taravindkumar.onmicrosoft.com)
    Key usage: Yes. Cert has the Digital signatures and key encipherment.
    Certificate purpose: Has valid for SSL server authentication
    Above are the certs in base64 encoded, one could verify these details.

    I do not understand that last line of your on how and where the Forest Type is coming into picture here.

    Also, at this time I am not even at the point of trying my client connect via LDAPS to AADDS, it is just the configuration part that is failing on Azure portal.

    Here is a screenshot for your reference:
    32440-screen-shot-2020-10-14-at-92655-pm.png

    Attached the public cert for reference if that may help you to help me. :)
    32379-publiccert.txt

    0 comments No comments

  3. Ivan Takov 0 Reputation points
    2024-02-16T17:16:52.1333333+00:00

    Hi There, I have almost the same issue with configuring LDAP. I followed the guide step by step, however, when I supposed to upload the self-signed certificate and enable LDAP it failed with generic error User's image

    It looks as a date/time issue but there is no any additional info, so I am not sure what to check further and how this can be resolved. User's image

    User's image

    0 comments No comments