Link to home
Start Free TrialLog in
Avatar of Eprs_Admin
Eprs_AdminFlag for Austria

asked on

suddenly LDAPS problem

Hi Experts,

we have several ACTIVE DIRECTORY servers in our network.
Other applications like OWNCLOUD and RT using the AD as authentication server with LDAP.

Some days ago this changed suddenly and without installing updates.
Now just LDAPS connections are possible to use.

Can you help me out why its changed and where ?
Avatar of Mahesh
Mahesh
Flag of India image

AD does (always) support both communications (LDAP and LDAPS)

you must have changed something in apps and they are only connecting through LDAPs, check your application settings
Avatar of Eprs_Admin

ASKER

where do I configure LDAP access on my AD ?

We havent changed the LDAP or LDAPS on the AD, but our APPS just acceppt LDAPS now .
I need to know why ?
What you can do, try telnet AD server on TCP 389, 636, 3268, 3269 from your application server / other workstations and check if telnet is successful,
If successful, AD is functioning normally and something wrong with application, you need to fix application
I have tried telnet to my AD.
I have 4 ADs in my network.
All of them have refused telnet.

What else can I check ?
Is it a problem to have an AD with 2016 in the network ?
I have tried telnet with your 4 differnet ports.
Just 636 and 3269 are working and return no error.
are you saying that AD server is not listening on TCP 389 and 3268?

download portqueryui tool from Microsoft, run it on your management workstation, select 'domain and trust" enter AD server IP as destination and run the test
Then post output here

Nothing has been changed from network stand point on 2016 server
This problem started on the 24.1.2018.
Until this date it was possible to use LDAP from OWNCLOUD.
One day later it wasn´t working anymore.
maybe Microsoft updates ?
But we haven´t installed any update.
Or a silent update ?
what is OWNCLOUD?
where your DCs located?
is there any firewall in between?
where your apps are located?
the result is here:
PortQuery-result.log
I don't see any issues in output

Dc is listening on TCP 389, 3268 including all AD ports

I don't know how you figured out that AD is not listening on well known LDAP ports?

If you could explain / answer my last comment, we can find solution to your issue...
OWNCLOUD is an application server on linux.
RT is an application server on linux.

They have used LDAP to authenticate.
is there any firewall between Ad and applications?
no, the servers are on the same subnet.
Then your AD is working / listening on all well known ports, don't see any issues

Your application server is behaving differently, check with application support / team
ok thanks.
And thanks for the analysis.
Hi,
but the problem still exists.
Today the developer came to me, his applications cannot connect to AD via LDAP.

Any ideas ?
On the AD I have tons of error in the event log:

A fatal alert was received from the remote endpoint. The TLS protocol defined fatal alert code is 46.
Yes, problem is not resolved, we have tried to isolate it
As long as AD is able to listen LDAP ports (389 / 636) etc, you need to check how app is connecting to AD LDAP?
Is there any syntax / string error?
is the account used to connect to Ad is locked? Or developer is entering wrong credentials?
what interface he have for connectivity....
I think with the AD all is ok, like you.
Maybe is has to do with certificate ?

https://stackoverflow.com/questions/24389689/ldap-over-ssl-with-java
What does this means inside the DefaultDomainPolicy :

Local Policies/Security Optionshide
Domain Controllerhide
Policy Setting Winning GPO
Domain controller: LDAP server signing requirements Require signing Default Domain Controllers Policy
ASKER CERTIFIED SOLUTION
Avatar of Mahesh
Mahesh
Flag of India image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
OK I have checked this policy:
"default domain controller policy"

This policy was changed exact on the same date when the problem started.

The setting : "LDAP server signing requirements" is set to REQUIRE SIGNATURE.

But why it is changed ?
I have asked all administrators, no one was it.
I have checked all updates on all AD-Servers, no update on this particular date.
Do you have any ideas how this happend ?
There is no way policy can automatically change
somebody has done this manually
Check if your admins had trying to make GPO changes related to LDAP connectivity to make it signed etc
changes will not be logged until you enabled  advanced audit loggings
I have asked and nobody changed this :-(
You know always the same :-)

Do you mean this can't be done automatically ?
The setting we are referring is in GPO, that is also in default domain controller policy
normally nobody touch these very important and risky GPOs as any change in GPO setting will impact entire network / domain and as far as I know no tool is available on internet to make / schedule automatic changes in GPO knowing / unknowingly apart from GPO interface and without appropriate rights to modify GPO
Your admins will not agree even if the setting has been changed mistakenly by him / her as it lead to escalation
Thanks a lot for your help.
I have changed back this setting and our application is running again.
Great troubleshooting.