our current LDAP Configuration contains several LDAP Endpoints (AD Domains) that connect to the IP Addresses of Domain Controllers.
As you know, Microsoft will soon release Windows Server Security Updates that will disable LDAP and only allow LDAPS on Domain Controllers.
Currently, Domain Controllers enroll their SSL Certificate for Kerberos Authentication (and LDAPS SSL) automatically via Internal PKI.
The Autoenrolled Certificates contain 3 SAN Names: the FQDN of the DC, the FQDN of the AD Domain, the short name of the AD Domain. They do not contain a SAN for the IP Address of the DC.
Given the fact that the LDAP Endpoints only allow for IP Addresses, these questions arise:
1) Does the Kemp LoadMaster allow the LDAPS TLS Handshake, if the SSL Certificate does not contain the IP Address?
2) Does the Kemp LoadMaster verify the SSL Certificate Chain of the presented LDAPS Certificate?
3) If 2) = yes, where can I import the Root Certificate of the Internal PKI, so that it is trusted?
Thank you very much,