Forum Discussion
Client unable to bind to LDAPs through LTM virtual for LDAPS
I have setup my F5 LTM 11.4.0 to have a virtual server that is receiving LDAP requests over 636. I have a profile setup with a cert/key for the client communication and a server profile setup with no cert/key (as I will use the cert being served up by the AD resource). I made 2 virtuals technically as I did one manually and the other through the iApp .. both failed.
The client application attempts to connect and get a "unable to connect". Installed 2 third party tools and get the same type of error messages.
When I setup the F5 LTM to have no cert/key on the client and whistle the transaction through - it works. Even when I use 636 on the server side, it works (appears to rule out the AD cert). However, once I put the client cert/key back in - it fails.
So everything points to either a cert issue or an F5 configuration issue. I'm not sure how to troubleshoot it as the certificate really does look valid. (Correct SAN, Key Usage, SHA1 algorithm, etc.)
Even the tcpdump analysis simply states: SYN/ SYN,ACK/ ACK/ cert exchange/ change cipher spec x3/ ACK/ RST,ACK - Why the hell did it send a reset packet?
Any advice on how to troubleshoot this?
- F5User-LB_25540Nimbostratus
Bug in F5 When configuring LDAPS (Secure LDAP). Please Fix F5 to accept hostname for Secure LDAP server pool connections.
Why it is an issue with F5's... Microsoft by default creates a cert that uses FQHN on domain controllers. By default in order to connect via LDAPS to Microsoft domain controller you must connect using FQHN, NOT IP. Big F5 only accepts IPs for LDAP which makes secure LDAPS fail to Microsoft Domain Controllers.
Work Around: Add an additional certificate on the Domain controller with IP as subject alternative name?
- Amresh008Nimbostratus
@ F5User-LB, please update the BUG ID for this and as per my understanding, let's say that the ssl certificate has been issued on the name of xyz.com, with it's IP being 1.2.3.4, you suggest that another certificate be issued for 1.2.3.4 as the name ?
- F5User-LB_25540Nimbostratus
Active Directory Domain controllers use an internal active directory certificate authority. So xyz.local not xyz.com. The domain controller will be named DC01.xyz.local with a private or public IP of 1.2.3.4. Every server joined to Active directory automatically gets an internal certificate. My opinion, most admins are not going to do a public certificate for Active directory. Doesn't make sense and adds an un-needed level of complexity. The Certificate has Subject alternative name has DC01.xyz.local and no IP address specified. So to do LDAPS, the F5 needs to trust the active directory certificate authority AND accept a hostname of DC01.xyz.local instead of IP address to connect to the domain controller in order to secure LDAP (LDAPS). Because it is connecting with IP address and not hostname, Microsoft decides the connection is insecure and refuses the connection. This is the way I understand it to work after trying to connect with DNS and IP using LDAP testing tools and diving into the errors. You would need to contact Microsoft to get further information. P.S, it has been 2 years, I gave up and found an alternate method to authenticate that worked. Hope this helps you, but I'm not willing to spend more time on it.
- Antish_293579Nimbostratus
Hi Guys..can you pls help me with config that i have to do on LDAP VS on F5 to set up all of this...i am failing again & again in that. My client is Webserver connecting to AD via F5 & AD servers are in F5 pool.
- Shawn_ConwayCirrus
Did you ever get an answer on this? I was able to use the iapp (to Microsoft AD) and get it working (for browsing anyway) with client side certificate and server side certificate and without any. But, get some failures from an application trying to change passwords or move users to other OU's. Just started troubleshooting.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com