How to check LDAPS connectivity to DC

In the interest of increasing network security, attention must be paid to activities within the network as well, not only to be concerned over firewall. Inside, you need to start from the ground up – domain controllers should have SSL/TLS authentication enabled access to LDAP ( MS Active Directory).

More and more apps are using existing LDAP authentication to log-in, but in order to avoid any abuse, it’s of course not desirable to go through the usual port 389, which allows to send paswords in unencrypted form and in plain text format.

Proof that the domain controler uses the LDAPS configuration is not enough to open the LDAPS port 636, it must be verified that each DC also suport SSL/TLS.

Every Windows OS, nut just Windows Server OS, has a tool that can be used to check if SSL/TLS for LDAP is working. Enter ldp.exe into start-> run.

test LDAPS connectivity

Enter the desired domain controller in the connection, change the port to 636 and enable SSL. It will probably be necessary to enter the user and password, even if we are in a multiple domain environment.

Testing with PowerShell

For all you prefer PowerShell is a command, that check the LDAPS connectivity via port 636

Test-LDAP -ComputerName ‘AD1′,’AD2’ | Format-Table

Saša

Works as system engineer in Slovenian Enterprise in Microsoft environment focusing on security, deployments, SharePoint, SCCM and CheckPoint firewall. Author of successful blog about IT security, Microsoft tips & tricks, social media, internet trends.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.