suddenly LDAPS problem

Hi Experts,

we have several ACTIVE DIRECTORY servers in our network.
Other applications like OWNCLOUD and RT using the AD as authentication server with LDAP.

Some days ago this changed suddenly and without installing updates.
Now just LDAPS connections are possible to use.

Can you help me out why its changed and where ?
Eprs_AdminSystem ArchitectAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

MaheshArchitectCommented:
AD does (always) support both communications (LDAP and LDAPS)

you must have changed something in apps and they are only connecting through LDAPs, check your application settings
0
Eprs_AdminSystem ArchitectAuthor Commented:
where do I configure LDAP access on my AD ?

We havent changed the LDAP or LDAPS on the AD, but our APPS just acceppt LDAPS now .
I need to know why ?
0
MaheshArchitectCommented:
What you can do, try telnet AD server on TCP 389, 636, 3268, 3269 from your application server / other workstations and check if telnet is successful,
If successful, AD is functioning normally and something wrong with application, you need to fix application
0
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

Eprs_AdminSystem ArchitectAuthor Commented:
I have tried telnet to my AD.
I have 4 ADs in my network.
All of them have refused telnet.

What else can I check ?
Is it a problem to have an AD with 2016 in the network ?
0
Eprs_AdminSystem ArchitectAuthor Commented:
I have tried telnet with your 4 differnet ports.
Just 636 and 3269 are working and return no error.
0
MaheshArchitectCommented:
are you saying that AD server is not listening on TCP 389 and 3268?

download portqueryui tool from Microsoft, run it on your management workstation, select 'domain and trust" enter AD server IP as destination and run the test
Then post output here

Nothing has been changed from network stand point on 2016 server
0
Eprs_AdminSystem ArchitectAuthor Commented:
This problem started on the 24.1.2018.
Until this date it was possible to use LDAP from OWNCLOUD.
One day later it wasn´t working anymore.
maybe Microsoft updates ?
But we haven´t installed any update.
Or a silent update ?
0
MaheshArchitectCommented:
what is OWNCLOUD?
where your DCs located?
is there any firewall in between?
where your apps are located?
0
Eprs_AdminSystem ArchitectAuthor Commented:
the result is here:
PortQuery-result.log
0
MaheshArchitectCommented:
I don't see any issues in output

Dc is listening on TCP 389, 3268 including all AD ports

I don't know how you figured out that AD is not listening on well known LDAP ports?

If you could explain / answer my last comment, we can find solution to your issue...
0
Eprs_AdminSystem ArchitectAuthor Commented:
OWNCLOUD is an application server on linux.
RT is an application server on linux.

They have used LDAP to authenticate.
0
MaheshArchitectCommented:
is there any firewall between Ad and applications?
0
Eprs_AdminSystem ArchitectAuthor Commented:
no, the servers are on the same subnet.
0
MaheshArchitectCommented:
Then your AD is working / listening on all well known ports, don't see any issues

Your application server is behaving differently, check with application support / team
0
Eprs_AdminSystem ArchitectAuthor Commented:
ok thanks.
And thanks for the analysis.
0
Eprs_AdminSystem ArchitectAuthor Commented:
Hi,
but the problem still exists.
Today the developer came to me, his applications cannot connect to AD via LDAP.

Any ideas ?
0
Eprs_AdminSystem ArchitectAuthor Commented:
On the AD I have tons of error in the event log:

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.
0
MaheshArchitectCommented:
Yes, problem is not resolved, we have tried to isolate it
As long as AD is able to listen LDAP ports (389 / 636) etc, you need to check how app is connecting to AD LDAP?
Is there any syntax / string error?
is the account used to connect to Ad is locked? Or developer is entering wrong credentials?
what interface he have for connectivity....
0
Eprs_AdminSystem ArchitectAuthor Commented:
I think with the AD all is ok, like you.
Maybe is has to do with certificate ?

https://stackoverflow.com/questions/24389689/ldap-over-ssl-with-java
0
Eprs_AdminSystem ArchitectAuthor Commented:
What does this means inside the DefaultDomainPolicy :

Local Policies/Security Optionshide
Domain Controllerhide
Policy Setting Winning GPO
Domain controller: LDAP server signing requirements Require signing Default Domain Controllers Policy
0
MaheshArchitectCommented:
In both "default domain policy" and "default domain controller policy" "LDAP server signing requirements" should be set to "None" only, otherwise all your LDAP connections will get disconnected unless they are also configured to require signing and if those clients support LDAP signing
The setting can be found under:
Computer Configuration\windows settings\security settings\local policies\security options
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Eprs_AdminSystem ArchitectAuthor Commented:
OK I have checked this policy:
"default domain controller policy"

This policy was changed exact on the same date when the problem started.

The setting : "LDAP server signing requirements" is set to REQUIRE SIGNATURE.

But why it is changed ?
I have asked all administrators, no one was it.
I have checked all updates on all AD-Servers, no update on this particular date.
Do you have any ideas how this happend ?
0
MaheshArchitectCommented:
There is no way policy can automatically change
somebody has done this manually
Check if your admins had trying to make GPO changes related to LDAP connectivity to make it signed etc
changes will not be logged until you enabled  advanced audit loggings
0
Eprs_AdminSystem ArchitectAuthor Commented:
I have asked and nobody changed this :-(
You know always the same :-)

Do you mean this can't be done automatically ?
0
MaheshArchitectCommented:
The setting we are referring is in GPO, that is also in default domain controller policy
normally nobody touch these very important and risky GPOs as any change in GPO setting will impact entire network / domain and as far as I know no tool is available on internet to make / schedule automatic changes in GPO knowing / unknowingly apart from GPO interface and without appropriate rights to modify GPO
Your admins will not agree even if the setting has been changed mistakenly by him / her as it lead to escalation
0
Eprs_AdminSystem ArchitectAuthor Commented:
Thanks a lot for your help.
I have changed back this setting and our application is running again.
Great troubleshooting.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2016

From novice to tech pro — start learning today.