The following information is intended for any SaaS customer who wants to integrate with Active Directory for authentication using LDAPS (Secure LDAP) . If the customer is hosting on-premise in the same datacenter as their Active Directory infrastructure, they can just use plain LDAP and this article isn't applicable.
To configure LDAPS, we need the following information (in addition to the other LDAP information as described in the Technical Discovery Worksheet):
- -a certificate from your internal Certificate Authority (use this command on your CA to generate: certutil ca.cert client.crt). If you wish to use a third-party CA, please see this article for instructions on how to create a certificate request and obtain the correct certificate: https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority
- -ports 636 and 3269 opened on the firewall
- -the LDAPS connection URL eg ldaps://dc.mycompany.com:636
You will need to test the connection out and ensure LDAPS traffic can connect to the Domain Controller before we can proceed on our side. If you are unfamiliar with configuring LDAPS on your environment please review the articles linked below.
You should be able to test the connection using ldp.exe. The logging from that tool will help then troubleshoot any issues. For more about how to use that tool: http://support.microsoft.com/kb/321051
Use the Ldp.exe tool on the domain controller to try to connect to the server by using port 636. If you cannot connect to the server by using port 636, see the errors that Ldp.exe generates. Also, view the Event Viewer logs to find errors. For more information about how to use Ldp.exe to connect to port 636, click the following article number to view the article in the Microsoft Knowledge Base:
321051 How to enable LDAP over SSL with a third-party certification authority"