LDAPS vip - how to?
based on these two articles -
It seems MS hardening has made it difficult to load balance ldaps.
In my cyurrent setup when I have both a client and server ssl cert in the virtual server, ldp.exe can connect successfully, but when I try and bind I get the error:
Server error: 80090346: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 80090346, v4563
Error 0x80090346 Client's supplied SSPI channel bindings were incorrect.
which appears tio be expected since we have these reg settings:
So I removed both the client and server ssl profiles from the VS, once I did that I can not connect at all:
Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
wireshark shows the ldap server requesting a client cert, not getting it then terminating the session straight away.
Weird thing is, the VS pool has only one member, and I can successfully connect and bind directly to it on ldaps bypassing the F5.
I suspect the issue is the dns name I connect to resolves to the IP on the F5, which of course is not the name of the actual ldap server, although I did try installing both the ldap server and f5 virtual server client ssl cert on the test machine and still didn't work. I wonder if this is actually possible to get working via F5?