0 Replies Latest reply on Feb 10, 2015 4:02 PM by justinmercier

    Cannot configure ePO 5.0.1 to use Active Directory with 'use SSL'

    justinmercier

      Forgive me if I am missing something obvious, but I have read through the Product and Installation guides and seem to have things set up correctly.  For reference I am running ePO 501L on Windows Server 2008 R2 against Active Driectory at the 2008 R2 forest/domain functional level, and wish to register an LDAP (Active Directory) server to synchronize my System Tree and selectively map ePO accounts.

       

      All in all ePO is working nicely, however when I try and register an LDAP/AD server and click 'Test Connection' I get the following results:

       

      • If I check the box "Use SSL" I get an error "Unable to communicate with the LDAP server.  Verify the settings you specified are correct."
      • If I uncheck the box "Use SSL" I get an error: "Unable to authenticate with the LDAP server.  The server requires SSL connections.  Enable SSL and retry."

       

      So I started looking to Group Policy, and noticed the following:

       

      • The security setting "Domain Controller: LDAP server signing requirements" is set to "Require signing" on my domain controllers.
      • The security setting "Network security: LDAP client signing requirements" is set to "Require signing" on all my client systems.

       

      So I backed out these two settings, and now I can successfully connect to Active Directory but only if I do not check the box "Use SSL".  However these security settings are ultimately required in our infrastructure for FDCC compliance, so this is at best a workaround, and I am obviously uncomfortable doing any LDAP authentication against AD without encryption.

       

      One thing I do not have is a Microsoft CA in this environment nor am I distributing the server certificate for my domain controllers using Group Policy as I have no reason to do so and previous versions of ePO had native AD connectors.  But perhaps this is the missing step?

       

      Thanks in advance for any help.