based on these two articles -https://relevantsecurity.wordpress.com/2021/04/11/ldap-channel-binding-and-load-balanced-vips/https://support.f5.com/csp/article/K05648102It seems MS hardening has made it difficult to load balance ldaps.In my cyurrent setup when I have both a client and server ssl cert in the virtual server, ldp.exe can connect successfully, but when I try and bind I get the error:Server error: 80090346: LdapErr: DSID-0C09058A, comment: AcceptSecurityContext error, data 80090346, v4563Error 0x80090346 Client's supplied SSPI channel bindings were incorrect.which appears tio be expected since we have these reg settings:LDAPServerIntegrity: 1LdapEnforceChannelBinding: 1 So I removed both the client and server ssl profiles from the VS, once I did that I can not connect at all:Error 81 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);wireshark shows the ldap server requesting a client cert, not getting it then terminating the session straight away.Weird thing is, the VS pool has only one member, and I can successfully connect and bind directly to it on ldaps bypassing the F5. I suspect the issue is the dns name I connect to resolves to the IP on the F5, which of course is not the name of the actual ldap server, although I did try installing both the ldap server and f5 virtual server client ssl cert on the test machine and still didn't work. I wonder if this is actually possible to get working via F5?

sorry forgot to reply. We got it workign using client and server ssl certs, the trick is you need all the sans in the cert including the Ip address of vip, ip address of pool member, domain the client connects to, the hostname of the pool member etc.

LDAPS vip - how to? | DevCentral

Forum Discussion

Help guide the future of your DevCentral Community!

What tools do you use to collaborate? (1min - anonymous)

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Jonathan - March 2026 Featured Member

F5 AppWorld 2026 Las Vegas - iRules Contest Winners!

2026 F5 DevCentral MVP Announcement

Recent Discussions

F5 rate limiting with Irule

Grpc Keepalive and F5 full proxy

Bigip Restoration From Hardware to VM

Help with SSH Virtual Server

About vlangroup traffic

Related Content

LDAP Proxy

Lightboard Lessons: Vip Targeting Vip

VIP in https that redirect to another vip in https

LDAP StartTLS Extension to LDAPS Proxy

LDAP Auth, LDAP Query with UPN fails

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS