How do I configure Active Directory for 3rd party LDAPS integrations?

Audience
Public
Product
FlashBlade
Content Type
Source Type
Knowledge Base

How do I configure Active Directory for 3rd party LDAPS integrations?

KB0016260
Pure Product
FlashBlade
Question

How do I configure Active Directory for 3rd party LDAPS integrations?
Or
Why do I get the following error from my PureAD account test:

Opening a connection to the domain controller(s) using secure LDAP communication failed. 
Please verify that LDAPS is enabled on the controllers within the domain and that controllers have valid certificates configured to support secure communication.
Answer

By default, Active Directory binds to port 389 for an insecure LDAP connection, and 636 for a secure LDAPS connection. Without a trusted certificate, Active Directory will not enable LDAPS and wont listen for requests over port 636 resulting in LDAPS requests failing and the connection redirecting to the insecure port 389. This will occur even if the secured port is open and accessible as the request on 636 will be rejected prompting the communication to try again on 389. 

For security reasons PureAD only supports LDAPS for querying information from Active Directory.

To enable LDAPS on your Active Directory Domain Server per Microsoft Documentation https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority:

The LDAP is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. 
You can make LDAP traffic confidential and secure by using SSL/Transport Layer Security (TLS) technology.
You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA.

There's no user interface for configuring LDAPS.
Installing a valid certificate on a domain controller permits the LDAP service to listen for, and automatically accept, SSL connections for both LDAP and global catalog traffic.
Check if your Active Directory Domain Server accepts LDAPS traffic:

LDAPS connectivity can be tested by using the LDP tool on the Domain Controller (DC) this utility is included in the default Windows Server install.

1. Run ldp.exe in an administrator command prompt to open the GUI tool.

2. Click on Connection > Connect

3. Enter the Domain Controller FQDN and test over port 636 with SSL.

4. Check the output for "Error <0x51>". This shows that the DC is unable to accept LDAPS traffic. This is mostly caused by LDAPS being disabled due to there not being a certificate installed on the Domain Controller. Once a certificate is installed this enables LDAPS and allows the Domain Controller to listen for LDAPS traffic, allowing PureAD to query your Active Directory via LDAPS.

 

Adding a certificate to the Domain Controller: Option 1:

For your Active Directory Domain Controllers to accept LDAPS traffic a certificate is required to enable LDAPS support in Active Directory. It is recommended to have a certificate added to each Active Directory Domain Controller that you wish FlashBlade to communicate with. Please see the following Microsoft documentation for further details on adding certificates, and the process for creating and requesting a certificate from a valid trusted certificate authority server here:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

  Option 2:

If allowed by your company's security policy a Self Signed certificate can be installed on the Domain Controller to enable LDAPS in Active Directory.

Below is a example workflow for adding a Self Signed certificate to a Windows Server. This is not an endorsement from Pure Storage to use Self Signed Certificates.

1. From an Administrator PowerShell window run the following command to generate a certificate:

New-SelfSignedCertificate -DnsName dc101.domain.local, dc101 -CertStoreLocation cert:\LocalMachine\My

NOTE: Replace dc101.domain.local and dc101 with the FQDN and domain controller name.

2. Run certlm.msc as an administrator to open the certificate management window:

3. Go to Personal > Certificate to find the new certificate and copy it into Trusted Root Certification Authorities > Certificates.

     

LDAPS should now be enabled in Active Directory now that a certificate is installed on the Domain Controller. You can verify LDAPS connectivity by using the ldp.exe application per the above instructions.

 

Once a valid certificate is installed on the Domain Controller this enables LDAPS support in Active Directory.
Now that LDAPS support is enabled the Domain controller can listen for LDAPS traffic allowing the PureAD integration to work with your Active Directory.

 

Additional Information

You can refer to the following Microsoft KB for further details and information: https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority