I have a Domain Controller (Server 2016) in Azure. The Azure network this system is on is connected via a Virtual network gateway (VPN) to the on-prem network and the network engineers have configured this network to be trusted and thus is inside the firewall. We have a PKI infrastructure with a Root and Subordinate CA on the on-prem network and LDAPS works with any domain controller on-prem.
Regarding the Azure system: It's joined to the domain and event viewer and all that looks good. It is in its own AD Site in Sites and Services. Everything looks good, I can ping the machine from my on-prem network and all LDAP related ports are opened via Port queries. We see no errors in the Event Log either.
On a Windows 10 machine on the non-Azure network (in the Default-First-Site), I can LDAP 636 to any domain controller on-premises in that site but cannot I cannot LDAP 636 to this Azure domain controller. I am using LDP.exe and receive the error:
ld = ldap_open("azure.fqdn.com", 636);
Error <0x51>: Fail to connect to azure.fqdn.com.
I can LDAP 389 to this machine. I can telnet 636 to this machine. So it seems like something is up with the certificates. I just am not sure what.
In the certificate store is a certificate with the SAN of the FQDN for this machine with enhanced key usage of
Client Authentication (1.3.6.1.5.5.7.3.2), Server Authentication (1.3.6.1.5.5.7.3.1)
Anyone have any ideas?
