LDAP Configuration: LDAPS to Active Directory DCs

good day,

our current LDAP Configuration contains several LDAP Endpoints (AD Domains) that connect to the IP Addresses of Domain Controllers.

As you know, Microsoft will soon release Windows Server Security Updates that will disable LDAP and only allow LDAPS on Domain Controllers.

Currently, Domain Controllers enroll their SSL Certificate for Kerberos Authentication (and LDAPS SSL) automatically via Internal PKI.

The Autoenrolled Certificates contain 3 SAN Names: the FQDN of the DC, the FQDN of the AD Domain, the short name of the  AD Domain. They do not contain a SAN for the IP Address of the DC.

Given the fact that the LDAP Endpoints only allow for IP Addresses, these questions arise:

1) Does the Kemp LoadMaster allow the LDAPS TLS Handshake, if the SSL Certificate does not contain the IP Address?

2) Does the Kemp LoadMaster verify the SSL Certificate Chain of the presented LDAPS Certificate?

3) If 2) = yes, where can I import the Root Certificate of the Internal PKI, so that it is trusted?

Thank you very much,

Raoul Schaffner.




Nick Smylie

Hi Raoul,

1)  Yes we will allow the LDAPS even without an IP in the cert.  Beyond that, though you can add LDAP endpoints as a FQDN, you just need to make sure you have a valid DNS entry so the LoadMaster can resolve it.

2 and 3)  We will not verify it.  However if for whatever reason you need to verify the chain via a root cert(SAML or client certs for example) you can add the root cert as an intermediate cert.



Thelma foster


LDAP Secure Sockets Layer (LDAPS) is a secure version of the Lightweight Directory Access Protocol (LDAP) that is used to access and manage data stored in an Active Directory (AD) Domain Controller (DC). The following steps outline how to configure LDAPS to Active Directory DCs:

Obtain a certificate: To use LDAPS, you need to obtain a valid SSL certificate from a trusted certificate authority (CA).

Install the certificate: Install the SSL certificate on the Active Directory DCs. This can be done using the Certificate Services Management Console or the Certificate Import Wizard.

Enable LDAPS: Enable LDAPS on the Active Directory DCs by modifying the registry. This can be done using the Registry Editor or a script.

Verify the configuration: Verify that LDAPS is configured correctly by testing it with the Ldp.exe tool or by connecting to it using an LDAP client.

Update applications: Update any applications that use LDAP to connect to the Active Directory DCs to use LDAPS instead. This typically involves specifying a different port (636) and updating the connection string.

By following these steps, you can configure LDAPS to securely access and manage data stored in Active Directory DCs.

Dinar Updates


Please to leave a comment.

Didn't find what you were looking for?