In the interest of increasing network security, attention must be paid to activities within the network as well, not only to be concerned over firewall. Inside, you need to start from the ground up – domain controllers should have SSL/TLS authentication enabled access to LDAP ( MS Active Directory).
More and more apps are using existing LDAP authentication to log-in, but in order to avoid any abuse, it’s of course not desirable to go through the usual port 389, which allows to send paswords in unencrypted form and in plain text format.
Proof that the domain controler uses the LDAPS configuration is not enough to open the LDAPS port 636, it must be verified that each DC also suport SSL/TLS.
Every Windows OS, nut just Windows Server OS, has a tool that can be used to check if SSL/TLS for LDAP is working. Enter ldp.exe into start-> run.
Enter the desired domain controller in the connection, change the port to 636 and enable SSL. It will probably be necessary to enter the user and password, even if we are in a multiple domain environment.
Testing with PowerShell
For all you prefer PowerShell is a command, that check the LDAPS connectivity via port 636
Test-LDAP -ComputerName â€˜AD1â€²,â€™AD2â€™ | Format-Table