Connecting Securely to Active Directory

As an App Volumes administrator, you can choose to connect to Active Directory over a secure or insecure LDAP connection.

Secure LDAP (LDAPS) - Connect to Active Directory over a dedicated LDAPS port. The default port number for LDAPS is 636. The root SSL certificate, which is required to validate all the domain controllers must be placed in the config/adCA.pem file. To deactivate certificate validation, the Disable certificate validation(insecure) check box can be used. For more information about this check box, see Disable certificate validation (insecure) section on this page.
LDAP over TLS - Establish a normal, not secure LDAP connection between App Volumes Manager and Active Directory and allow the Active Directory to negotiate whether or not to use the TLS protocol, which makes the connection secure.
If you choose to validate the root certificate of the domain, the root SSL certificate which is required to validate all the domain controllers must be placed in the config/adCA.pem file. To deactivate certificate validation, the Disable certificate validation(insecure) check box can be used. For more information about this check box, see Disable certificate validation (insecure) section on this page.
LDAPS and LDAP over TLS can be further secured by using channel binding. Microsoft recommends administrators make the hardening changes described in ADV190023. For more information, see the Microsoft documentation. Channel binding eliminates known security issues with associated protocols used by Active Directory such as NTLM. When LDAP channel binding is enabled in Active Directory, this security feature enables and enforces checks for the presence of channel binding information during LDAP authentication performed for the secure LDAP connections. For information about LDAP channel binding and setting the registry key for this security feature, see the relevant Microsoft documentation.
LDAP (insecure) - Connect to Active Directory over an insecure connection over plain LDAP. The default port number is 389.
Credentials are exchanged using GSS-SPNEGO and plain-text passwords are not exposed.

Note: LDAP Signing is an alternative method to using SSL to secure an LDAP connection. Currently, App Volumes Manager does not support LDAP Signing. To use LDAP insecure, LDAP Signing must be deactivated in the Active Directory. To deactivate LDAP Signing, the LDAPServerIntegrity registry key value must be set to 1 in Active Directory. For information about setting the registry key, see the relevant Microsoft documentation.

Disable certificate validation(insecure)

The Disable certificate validation(insecure) check box allows you to connect securely to Active Directory over LDAPS or LDAP over TLS without validating a domain certificate. Depending on whether you are upgrading from an older version of App Volumes, and if you had connected securely to Active Directory in your earlier installation of App Volumes, or if you are performing a fresh installation, the Disable certificate validation(insecure) box might be checked or deselected in the latest version of App Volumes.

Note: The Disable certificate validation(insecure) check box is visible only if you select LDAPS or LDAP over TLS.