Hot!Cannot connect to AD LDAPS

Author
Tutek
Bronze Member
  • Total Posts : 57
  • Scores: 0
  • Reward points: 0
  • Joined: 2020/03/16 08:23:40
  • Status: online
2021/03/12 09:47:14 (permalink)
0

Cannot connect to AD LDAPS

Hi,
I would to configure LDAPS connection to my domain controller, installed cert on AD, installed CA cert on Fortigate,
from any windows PC using ldap.exe I have secure connection to DC on port 636.
Domain controller name is resolved by FQDN from Fortigate, but when I create connection using secure option I get error : " Can't contact LDAP server" 
 
#1

15 Replies Related Threads

    marchand
    Bronze Member
    • Total Posts : 38
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/11 11:51:18
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/12 11:28:44 (permalink)
    0
    To configure the secure LDAP, you first need to install and configure Certificate Authority on our Domain Controller.
    #2
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/12 11:40:36 (permalink)
    0
    I don't need local CA, we use public commercial certificate.
    #3
    marchand
    Bronze Member
    • Total Posts : 38
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/11 11:51:18
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/12 12:19:51 (permalink)
    0
     
    Ok ! I'm using self signed certificates .
     
    Then check if your certificat meets the requirements
     
    Setup LDAPS (LDAP over SSL)

    The Certificate to be used for LDAPS must satisfy the following 3 requirements:
    • Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
    • The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate .
    • The host machine account must have access to the private key
     
     
    post edited by marchand - 2021/03/12 12:28:54
    #4
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/12 12:59:58 (permalink)
    0
    I have generated public certificate with CN=FQDN of domain server, there is also key extension in certificate with: server auth (OID: 1.3.6.1.5.5.7.3.1), certificate CSR was done on domain controller then imported newly issued certificate into computer account certificates.
    Then I have imported also CA_root certificate to Fortigate.
    As I told from my pc when use application like lpdadmin I can connect to FQDN of my domain controller on port 636, I then confirm this on domain controller by command netstat -an | find ":636" that connection is established. If I choose IP address on lpadmin instead of FQDN domain controller, then I cannot connect on 636 port, so I think this provide that LDAPS is working correctly.
    But on Fortigate side, when connecting using secure connection with 636 port, I cannot connect.
     
    #5
    marchand
    Bronze Member
    • Total Posts : 38
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/11 11:51:18
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/12 23:13:17 (permalink)
    #6
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/12 23:20:54 (permalink)
    0
    yes I followed exactly this microsoft guide 
    #7
    Magion
    Bronze Member
    • Total Posts : 48
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/08/20 01:06:02
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/13 00:08:55 (permalink)
    0
    Have you tried to connect to ldap instead of ldaps, to validate connection and basic settings?
    #8
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/13 00:10:25 (permalink)
    0
    yes, connection on 389 port is working 
    maybe there are any debug commands that I could use to check if there is any problem with ssl connection?
    post edited by Tutek - 2021/03/13 00:22:04
    #9
    Magion
    Bronze Member
    • Total Posts : 48
    • Scores: 4
    • Reward points: 0
    • Joined: 2019/08/20 01:06:02
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/13 01:33:25 (permalink)
    0
    The screenshot is from my FGT. The certificate is imported as a remote CA certificate (not sure if this is important).
    Did you enable access to port 636 for your Fortigate?

    Attached Image(s)

    #10
    marchand
    Bronze Member
    • Total Posts : 38
    • Scores: 2
    • Reward points: 0
    • Joined: 2021/02/11 11:51:18
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/13 01:36:28 (permalink)
    0
     
    You already checked that, I guess :
     
    Possible issues
    • Start TLS extended request
      LDAPS communication occurs over port TCP 636. LDAPS communication to a global catalog server occurs over TCP 3269. When connecting to ports 636 or 3269, SSL/TLS is negotiated before any LDAP traffic is exchanged.
    • Multiple SSL certificates
      Schannel, the Microsoft SSL provider, selects the first valid certificate that it finds in the local computer store. If there are multiple valid certificates available in the local computer store, Schannel may not select the correct certificate.
    • Pre-SP3 SSL certificate caching issue
      If an existing LDAPS certificate is replaced with another certificate, either through a renewal process or because the issuing CA has changed, the server must be restarted for Schannel to use the new certificate
    #11
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/13 01:41:20 (permalink)
    0

    on port 3269 I have also error when connecting.
     
    and connection from ldp.exe program, is successful, give me info that domain controller accept SSL connection:

    post edited by Tutek - 2021/03/13 01:45:58
    #12
    TecnetRuss
    Bronze Member
    • Total Posts : 45
    • Scores: 14
    • Reward points: 0
    • Joined: 2017/02/27 13:14:44
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/13 16:35:28 (permalink)
    0
    If you're using "samaccountname" try changing Bind Type to "Regular" and then specifying a Username for a domain user account (e.g. domain user "fortigate_ldap" - doesn't have to be domain admin) in format "CN=fortigate_ldap,OU=....,DC=....,DC=....,DC=...
     
    You can leave the Certificate field blank.
     
    Russ
    #13
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/14 23:30:06 (permalink)
    0
    You mean this way? Still can't connect. I need to check any certificate, I can not set empty one.

     
    #14
    Hosemacht
    Silver Member
    • Total Posts : 87
    • Scores: 5
    • Reward points: 0
    • Joined: 2017/04/18 04:06:13
    • Location: Upper Austria
    • Status: offline
    Re: Cannot connect to AD LDAPS 2021/03/15 00:10:39 (permalink)
    0
    Hey there,
     
    don't set a certificate(leave it empty) and then try again.
     
    Regards

    sudo apt-get-rekt
    #15
    Tutek
    Bronze Member
    • Total Posts : 57
    • Scores: 0
    • Reward points: 0
    • Joined: 2020/03/16 08:23:40
    • Status: online
    Re: Cannot connect to AD LDAPS 2021/03/15 23:24:35 (permalink)
    0
    Please tell me why when I select Ca_Certificate on my LDAPS connection I have this error:

    My uploaded CA_Certificates are wrong?
    post edited by Tutek - 2021/04/01 03:42:27
    #16
    Jump to:
    © 2021 APG vNext Commercial Version 5.5