Version Affected: All
Description:
When trying to connect to AD LDS using SSL, the connection fails and the users see "Invalid User" if ADLDS is the membership provider.
If using ADLDS as an additional profile provider, the users will see "Error retrieving contact information"
When using AD LDS over Secure instead of SSL, the Connection works fine.
Cause:
The SSL connection changes the service account requirements
Resolution:
For SSL Connections to work, the AD LDS server needs to be setup with an appropriate certificate. Please follow the MS articles on how to set this up as this article is for SecureAuth specific tips.
1. Create a Service Account in the Default Naming Context. Eg CN=Roles
2. Give this account a Password
3. Edit the attribute named msDS-UserAccountDisabled and set it to False
4. Edit the User Principal Name and match it to the CN
4. Grant this account sufficient permissions for the tasks it will be performing. In a test environment, you can simply add it to the Administrators group. In a Prod environment, you'll want to limit the access to using DS Acls
5. Ensure that the IdP trusts the Certificate Authority that was used to create the certificate AD LDS is using.
SecureAuth Knowledge Base Articles provide information based on specific use cases and may not apply to all appliances or configurations. Be advised that these instructions could cause harm to the environment if not followed correctly or if they do not apply to the current use case.
Customers are responsible for their own due diligence prior to utilizing this information and agree that SecureAuth is not liable for any issues caused by misconfiguration directly or indirectly related to SecureAuth products.
Comments
Please sign in to leave a comment.