2

Microsoft has an advisory that states they will be prepping LDAP/SSL (LDAPS). https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

While Microsoft doesnt specifically list instructions to setup LDAP/SSL for Azure AD Connect, there is reference to LDAP/SSL (LDAPS) being used in article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

  • Is there a way to verify if Azure AD Connect is already using LDAP/SSL?
  • Is there a way to configure Azure AD Connect to only use LDAP/SSL?

Thank you

confoundr
  • 347
  • 3
  • 8
  • 18

2 Answers2

3

Stumbled across your post looking for the same information. I think it's as below but yet to test.

Under Synchronisation Service Manager > Connectors select your domain connector > Properties. Under "Connect to Active Directory Forest" you have an options button, untick "Sign & Encrypt LDAP traffic" and select "Enable SSL for the Connection".

T-Rec
  • 46
  • 1
  • Thank you-- this sounds promising. Were there any articles that referenced that setting? Once I'm able to test I'll update the status. – confoundr Feb 27 '20 at 18:55
  • I took it from Tip 2 here https://blog.kloud.com.au/2017/11/03/generic-ldap-connector-for-azure-ad-connect/ This is all I could find other than the articles you mentioned. – T-Rec Feb 28 '20 at 08:25
  • Do I need to reenter the password for this connector-- when I try it I get an error: "An error was encountered trying to retrieve the SSL cipher strength" – confoundr Mar 09 '20 at 22:43
  • Hmm.. do I need the forest name to point to the FQDN of the server instead of only the domain name. i.e. server.domain.local instead of domain.local? – confoundr Mar 09 '20 at 22:55
  • nope, that didn't work. – confoundr Mar 09 '20 at 22:56
  • LDP.exe shows :`Host supports SSL, SSL cipher strength = 256 bits` – confoundr Mar 09 '20 at 22:56
1

In case somebody else is struggling... I faced the same problem and got the error message "An error was encountered trying to retrieve the SSL cipher strength" when trying to enable LDAP via SSL.

I had to change the settings under "Synchronisation Service Manager > Connectors select your domain connector > Properties". Under "Configure Directory Partitions" you have an options button next to "Configure Connection Security", untick "Sign & Encrypt LDAP traffic" and select "Enable SSL for the Connection" (+Enable CRL Checking, which should be obviously yes if you are using cert based authentication :-).

Wireshark confirmed the setting and my traffic is now encrypted via TLSv1.2 between Azure AD Connect Server and the DC.

ArcMereel
  • 11
  • 1