How to Configure LDAPS for Active Directory Integration (2024)

When configuring a Dell product such as OpenManage Enterprise or an iDRAC to integrate with Microsoft Active Directory, the connection to the domain controller over LDAPS may fail even though the directory settings appear correct, and port 636 is accessible. This can occur if the target domain controller does not have a valid certificate installed.

By default, Active Directory Domain Services bind to port 389 for insecure LDAP requests and 636 for LDAP over SSL (LDAPS). However, even though port 636 is open in the Windows firewall and accepts TCP connections, any directory requests made over port 636 are rejected if the DC does not have a trusted certificate to bind to the service during startup.

You can test LDAPS connectivity by using the LDP tool, which is installed on the domain controller by default as part of the Active Directory management features.

1. Run the following commandin an administrative command prompt on the domain controller.

ldp.exe

2. Click Connection > Connect.
3. Enter the FQDN of the domain controller and connect over port 636 using SSL.

4. Check the output. If the connection fails with "Error <0x51> Fail to connect," then the domain controller does not have an LDAPS certificate, and Dell products are unable to use Active Directory integration with this domain controller until a certificate is installed.

Resolving this issue requires installing a valid certificate on all domain controllers that the system uses for AD integration. Microsoft has an article documenting the requirements for LDAPS certificates and the process for requesting a certificate from a certificate authority server:https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority

Alternatively, since the certificate must only be trusted by the domain controller itself, customers without a certificate authority server can enable LDAPS by creating a self-signed certificate on the DC using the steps listed below.

1. Open an administrative PowerShell window on the domain controller.
2. Run the following command to create the certificate:

New-SelfSignedCertificate -DnsName dc1.domain.local, dc1 -CertStoreLocation cert:\LocalMachine\My(replacing "dc1.domain.local" and "dc1" with the FQDN and name of your domain controller)

3. Run the following commandto open the certificate management snap-in for the local machine.

certlm.msc

4. Browse to Personal > Certificates, locate the newly created certificate, and copy it into Trusted Root Certification Authorities > Certificates.
5. Wait for LDAPS to bind to port 636 using the new certificate. This is done automatically andtakes less than a minute.
6. Use the following command to verify the connection to the DC using SSL over port 636.

ldp.exe

After a valid certificate is installed on the domain controller and the ldp.exe test connects successfully, the directory service integration test on the iDRAC/OME can communicate with the domain controller.