How To: Check LDAPS Configuration

This article explains how to ensure an AD Domain controller has a working LDAPS configuration.

Privileged Access Management Best Practices

Free AD Audit Tool

Audit AD Accounts

The first step to protecting AD accounts is to know what you have. This free tool does just that.

Get the Free Tool
Osirium PAM Express

Free Privileged Access Management

PAM Express

Secure your infrastructure with the fastest to deploy Privileged Access Management solution. Introducing PAM Express from Osirium. For free, for 10 servers or network devices for production use.

Get PAM Express
Checklist for PAM Success

Free Whitepaper

Checklist for PAM Success

Get your free checklist that builds on years of practical experience to provide a roadmap for PAM success.

DOWNLOAD The Free CHECKLIST

Why Osirium PAM Needs LDAPS

In order for PAM to communicate with Active Directory domain controllers, PAM needs to connect using LDAPS. Using LDAPS is a Microsoft restriction. Over LDAP you can not change the password of an Active Directory account or create a new Active Directory account. This can only be done over LDAPS, hence PAM requires LDAPS connectivity.

You can find out more about Osirium PAM and how to get a free copy for small teams by visiting the Osirium Privileged Access Management page.

Domain Controller Default

By default Domain Controller(s) listen over LDAP but not LDAPS.
They do however still have an active socket listening on the LDAPS port (TCP 636) but by default, this does not function correctly.
To function correctly the Domain Controller(s) require a certificate (with ‘Server Authentication’ enabled) to be installed.
This happens automatically for all Domain Controllers if there is a Microsoft Certificate Authority role installed somewhere in the domain and it is configured with an Enterprise Root certificate.

Testing LDAPS

Just checking to see if a Domain Controller is listening on the LDAPS port (TCP 636) is not sufficient to confirm LDAPS is working.
To verify LDAPS on a domain controller has been configured and is functioning correctly, perform the following steps on each Domain Controller that PAM will need to communicate with:

  • RDP onto the Domain Controller
  • Open the Run dialogue box and run the application: ldp.exe or ldp for short
  • When LDP opens, go to the Connection menu and click on Connect…
  • Fill in the ‘Connect’ dialogue box as shown below.
LDP connection screen
  • Click OK.
  • If the server is correctly configured for LDAPS then line 5 of the output (you might need to scroll up) will show that the host supports SSL, like this:
screenshot showing the output for a correctly configured server
  • If the host is NOT configured for LDAPS then Ldp will show the following. This means PAM won’t be able to communicate with that Domain Controller:
screenshot showing the output for an incorrectly configured server


Ransomware Protection for Backups

Ransomware attacks destroy your data and backups. Get Osirium Fast Protect for just £4,995 to stop attacks deleting your backups.

Protect your backups!
Talk to an expert

Any questions? Contact us.

If you have any queries or want to speak to one of our experts, please fill this form and we'll be in touch soon.

+44 (0) 118 324 2444

Thank you! Your submission has been received!

Oops! Something went wrong while submitting the form.

Click to chat