-all the users must be created in the Azure AD
-You must own the credential for an account with the directory role "General Administrator".
-You must have a certificate PKCS12, 2048 bits protected with a password.
requirement configuration to the LDAP secured certificate
Obtain a valid certificate, by following the instructions below, before to enable the LDAP secured protocol. All attempt to enable the LDAP secured protocol for your domain handle with an unvalid certificate will end in failure.
- Approuved issuer: The certificate must be emittetd by an authority approuved by the computers that connect to the domain manage with the LDAP secured protocol.
- End of life: The certificate must be valid for the next 3 to 6 months. The access through the LDAP secured protocol tio your domain will be interupt as soon as the certificate is expired.
- Object Name: the certificate object name must be a generic one for your domain. For exemple, if your domain name is "contoso100.com", the certificate object ame must be like ".contoso100.com". Define a DNS name (alternative object name) for this generic name.
- Use the key: the certificate must be configured to keys and digital signature encryption.
- Role of certificate: The certificate must be valid for SSL Server authentication.
The first task will be to obtain a certificate to use to acceed to LDAP secured protocol to the handle domain. Two options are available to you:
- obtain a certificate from a public certification authority.
- create a a self signed certificate.
If the DNS domain name ending by ".onmicrosoft.com" or if you want to create a self signed certificate, the steps are as below:
- On your Windows computer, open a new PowerShell window as administrator and enter the following command lines:
- In the example above, replace ".contoso100.com" by your DNS domain name. For example, if you create a domain with name "cartadis.onmicrosoft.com", replace ".contoso100.com" in the above script by ".cartadis.onmicrosoft.com".
The new self signed certificate will be placed on the computer local certificate store.
Follow the link below to export the PFX certificate.
Export the certificate from LDAP secured protocol to a .PFX file
Azure AD configuration
- Connect to Microsoft Azure
- Clic on "all resources" in the left column.
- Then, select the Azure AD Domain Services that you want to synchronize.
- In the new left menu, clic on "secured LDAP".
- Then enable "Secure LDAP" and "Allow secure LDAP access over internet" options.
- Now you must search on your computer the certificate previously created, and create a password for it, then clic on "save" (it can take 10 to 15 minutes to do).
- On the left menu, clic on "properties" to get the Secure LDAP external IP address:
Configure the synchonisation in Gespage
- Select the LDAP type: AD
- On the IP Address field, set the Secure LDAP external IP address
- set SSL mode
- in the domain field, set the resource name for the Azure AD Domain Service:
- The login and password use to synchronized can be anyone from tha Azure AD, you don't need to have the administrator right to synchronized.
- You can now start the synchronization.