Use LDAPS 636 and disable LDAP 389

  • Article

Question

Tuesday, August 8, 2017 6:57 AM

Hi all,

Is there a way to force the use of ldaps 636 and disable LDAP access on port 389 without impacting services?

I would like to use LDAPS only for AD,SCCM,KMS,WSUS and disable ldap.

thanks in advance,

Deezy,

All replies (8)

Tuesday, August 8, 2017 9:13 AM ✅Answered | 1 vote

Is there a way to force the use of ldaps 636 and disable LDAP access on port 389 without impacting services?

No. The usage of LDAP or LDAPS depends solely on the client application. And for domain services, LDAP is mandatory (not LDAPS).

I would like to use LDAPS only for AD,SCCM,KMS,WSUS and disable ldap.

Seems there's a lack of knowledge about windows infrastructures. Neither KMS nor WSUS are ldap related :)

Tuesday, August 8, 2017 11:41 AM ✅Answered | 1 vote

Hi,

You cannot disable port 389 LDAP, this will cause issues on your environment and AD will behave in a slightly different way that you might not be able to use it.

You can use SSL Certificates for the applications that connect to AD on SSL 636 - LDAPS but disabling 389/LDAP is not recommended.

Regards, Jim MSCS - MCP Disclaimer: This posting is provided AS IS with no warranties or guarantees , and confers no rights. When you see answers and helpful posts, please click Vote As Helpful, Propose As Answer, and/or Mark As Answer

Wednesday, August 9, 2017 6:24 AM ✅Answered

Hi,
As other said, you cannot do that. Because Port 389 is used for Directory, Replication, User and Computer Authentication, Group Policy, Trusts, etc. Disabling LDAP access on port 389 will effect on AD communication and lead to AD issue. LDAPS protocol mainly used between application and the Network Directory or AD Domain Controller. There is no way to make clients prefer LDAPS because the type of connection depends on the application that is running on the client computer.
Best regards, 
Wendy

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Wednesday, August 9, 2017 2:30 PM

Hi all,

thank you for your support.

regards,

deezy,

Thursday, August 10, 2017 2:04 AM

Hi,
If the replies as above are helpful, we would appreciate you to mark them as answers, it will be greatly helpful to others who have the same question.
Appreciate for your feedback.
Best regards, 
Wendy

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com

Monday, August 14, 2017 9:38 AM

Hi Deezy,

I am checking how the issue is going, if you still have any questions, please feel free to contact us.

And if the replies as above are helpful, we would appreciate you to mark them as answers, and if you resolve it using your own solution, please share your experience and solution here. It will be greatly helpful to others who have the same question.

Appreciate for your feedback.

Best regards,

Wendy

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.

Wednesday, August 23, 2017 7:36 AM

Hello,

Thank you for your support.

Is it the same impact for SCCM ?

Regards,

Deezy,

Thursday, August 24, 2017 1:45 AM

Hi Deezy,
As far as I know, SCCM seems to communicate with DC on port 389, maybe, in this case, it would have impact on SCCM, and you could involve SCCM guys to check details of the impact.
Best regards, 
Wendy

Please remember to mark the replies as answers if they help.
If you have feedback for TechNet Subscriber Support, contact tnmff@microsoft.com.