GPMC via 636 port

Nikita Krivets 481 Reputation points
2020-10-20T10:30:47.517+00:00

Hello,

Group Policy Management Console uses 389 port for communications and there are no credentials exposed during these operations. Still I would like GPMC establishing a secure connection with 636 port.

There is an article stating that 636 port can be used by GPMC fore secure communications.

How can I "force" Group Policy Management Console working with 636 port to establish a secure connection?

Thanks in advance!

Windows
Windows
A family of Microsoft operating systems that run across personal computers, tablets, laptops, phones, internet of things devices, self-contained mixed reality headsets, large collaboration screens, and other devices.
4,521 questions
Active Directory
Active Directory
A set of directory-based technologies included in Windows Server.
5,570 questions
{count} votes

Accepted answer
  1. Hannah Xiong 6,221 Reputation points
    2020-10-21T05:42:06.557+00:00

    Hello,

    Thank you so much for posting here.

    If possible, would you share with us how we configured LDAPS?

    LDAPS protocol mainly used between application and the Network Directory or AD Domain Controller. There is no way to make clients prefer LDAPS because the type of connection depends on the application that is running on the client computer.

    Blocking port 389 is a typical thing to do on an external firewall, but is not something you would do on a domain controller. The Active Directory Domain Service administration tools still use port 389, but they are protected by the sign and seal binding.

    For more information, we could refer to:
    https://learn.microsoft.com/en-us/archive/blogs/pki/implementing-ldaps-ldap-over-ssl

    Thanks so much.

    Best regards,
    Hannah Xiong

    ============================================

    If the Answer is helpful, please click "Accept Answer" and upvote it.
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Leon Laude 85,566 Reputation points
    2020-10-20T10:41:18.397+00:00

    HI @Nikita Krivets ,

    The Group Policy Management Console, along with many othet MMC consoles use LDAP to read from and write to Active Directory.
    By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using SSL/Transport Layer Security (TLS) technology.

    To change this you can follow the official Microsoft documentation here:
    https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

    ----------

    (If the reply was helpful please don't forget to upvote or accept as answer, thank you)

    Best regards,
    Leon

    1 person found this answer helpful.