Secure Connectivity to an Active Directory Domain Controller

XTAM use of Secure Connectivity to Active Directory Domain Controller.

Through Microsoft’s requirements, password rotation in Active Directory has to be done using the LDAPS protocol, which implies that LDAP Server host is specified in the format ldaps://dc-host.company.com:port format.

Furthermore, it implies that the AD domain controller is configured using a trusted certificate to secure the communication link.

This trusted certificate has to be generated for the exact name (dc-host.company.com) used in the host property of the LDAP Server describing this AD domain controller; otherwise, the XTAM password rotation routine will not trust the certificate and will fail to connect to the domain controller even with your valid Admin credentials.

In the case where your AD domain controller does not support LDAPS connectivity protected by the trusted certificate, XTAM cannot rotate passwords for users in this domain controller.

 

In the case where your AD domain controller supports LDAPS connectivity but the certificate is not signed by trusted internet authorities so that XTAM does not trust it out of the box, XTAM will attempt to import this certificate automatically into its key store during first connection attempt.

At this time, the first connection attempt might fail while consequent connections might succeed because the certificate will be automatically imported into the XTAM key store.

 

In the case where your domain controller certificate does not include the host name used in the AD host connection string ldaps://dc-host.company.com:port, XTAM will fail to trust the certificate even it is imported successfully to XTAM key store.

In this case, the only resolution to this issue is to align the name on the certificate with the name of the AD domain controller host in the connection string.

One way to do it is to regenerate a certificate for AD and apply it to LDAPS connection in domain controller.

The other way is to create a host record in the OS hosting XTAM for the domain controller to address it by the name on the certificate and then use this exact name in the AD connection string in LDAP Server record.

Troubleshooting

To troubleshoot certificate issues and to force loading AD domain controller certificate into XTAM key store in a supervised way, perform the following steps:

  1. Login to XTAM host as an XTAM owner (Linux) or run command prompt as Administrator (Windows). Navigate to $XTAM home folder (such as /opt/xtam or c:\xtam). Do not navigate to the bin subfolder of $XTAM folder.
  2. Execute the following command where
  3. dc-host.company.com is the host name of the Active Directory domain controller

    port is the LDAPS port of the Active Directory domain controller like 636 or 3269

    For Linux:

    Copy
    bin/PamDirectory.sh SSLImport dc-host.company.com port

     

    For Windows:

    Copy
    bin\PamDirectory.cmd SSLImport dc-host.company.com port

     

The command will either complete with success indicating that XTAM trusts the Active Directory domain controller certificate or it will print the certificate on the screen and prompt to import certificate to the XTAM key store.

Note that it is possible that the command will print several certificates indicating some intermediate certificates are required to set up trust to the domain controller. Import all certificates into the XTAM key store as prompted and repeat the procedure to confirm successful connection.

This command may also generate an error in case of name mismatch of the host in the parameter with the name on the certificate that break the trust.

This issue has to be resolved by using the name on the certificate to connect.