Solved: Re: FMC External AD Authentication over TLS

jbeach44 · ‎06-20-2023

Hello,

I am using the following guide to set up AD external authentication over TLS and getting the following error:

Opening connection to LDAP server - XXXXXXXXXX:389 - ldap
Current TLS Require Cert: 4
Current TLS CACERTFILE: /var/tmp/HsmvFZQrBM/temp0.pem
Failed to issue StartTLS instruction: Connect error - -11
The directory server is up XXXXXXXXXX:389

The hostname field is set up to match the certificate installed on the DC and I am uploading the Root certificate as base64 PEM format. Not sure what the issue is, anyone run into this?

Thanks!

jbeach44 · ‎06-21-2023

Hey Aref,

Thanks for the reply. SSL uses port 636 but TLS uses 389 using STARTTLS, so that's not the issue. It had something to do with the root cert I was uploading, wish I could say what it was but it finally took and is working properly.

Thanks!

View solution in original post

Aref Alsouqi · ‎06-21-2023

On the provided output I see the negotiation is happening on port 389 which is the traditional unencrypted LDAP port, not the LDAPS port. LDAPS runs on port 636 by default.

jbeach44 · ‎06-21-2023

Hey Aref,

Thanks for the reply. SSL uses port 636 but TLS uses 389 using STARTTLS, so that's not the issue. It had something to do with the root cert I was uploading, wish I could say what it was but it finally took and is working properly.

Thanks!

MHM Cisco World · ‎06-21-2023

Can I know what is issue with root cert.

Thanks alot

MHM