Active Directory integration

SOLVED
TL_Arwen
Getting noticed

Active Directory integration

Hi all,

 

So, I'm trying to setup AD integration on our MX84. I have created a Certificate that has all the settings lined out in https://documentation.meraki.com/MX/Content_Filtering_and_Threat_Protection/Active_Directory_Integra...

The cert is located in the Trusted store. 

When I go to the AD part of the portal, I put in my info so if my domain is domain.com, i put domain in the short domain field, the IP of my DC in the IP field, administrator for the domain admin field and then the password. I get the error: ldap_start_tls: Server is unavailable

Any ideas on this? Am I missing a step?

1 ACCEPTED SOLUTION
TL_Arwen
Getting noticed

I added the cert to the trusted store and I found out that I was putting in the wrong info into the portal. I thought that if my domain controller was say dc1.domain.com the short domain would be domain because that is the actual domain name. but I had to put the name of the DC in. Doesn't make sense in my eyes... So once I made that change, it worked.

View solution in original post

13 REPLIES 13
BrechtSchamp
Kind of a big deal

I assume you saw this from your link:

ldap_start_tls: Server is Unavailable

Error Description - The MX uses TLS to secure the LDAP connection to the domain controller. This error indicates the MX received an Error initializing TLS response from the domain controller when attempting to establish TLS.

Error Solution: To resolve issues with TLS, please verify the following:

  • The domain controller has a valid certificate installed. 
  • The domain controller supports STARTTLS. Since the MX does not support LDAP over SSL, it uses STARTTLS instead.


@BrechtSchamp wrote:

I assume you saw this from your link:

ldap_start_tls: Server is Unavailable

Error Description - The MX uses TLS to secure the LDAP connection to the domain controller. This error indicates the MX received an Error initializing TLS response from the domain controller when attempting to establish TLS.

Error Solution: To resolve issues with TLS, please verify the following:

  • The domain controller has a valid certificate installed. 
  • The domain controller supports STARTTLS. Since the MX does not support LDAP over SSL, it uses STARTTLS instead.

Yes. I may have missed something, but not sure how or what.

All right. I just wanted to make sure. Unfortunately I have no personal experience with configuring AD so I can't help you further. Maybe one of the other members will be able to help.

Hi BrectSchamp,

 

Can you point me to instructions on installing proper cert on Domain Controller?  My AD server does not have IIS so I am not finding info on certificate install.  Do I need to create it on RapidSSL and then drop in the personal store?

Can you not install iis on your domain controller? Or on another server?

I would rather not install IIS on DC as it is not a best practice.  I do have IIS on another server.  So I can create the cert there and then drop it into the personal store on the DC?  Is there a step by step guide because I don't understand how to get the cert to meet meraki's requirements of having a private key.

Thank you very much.  That did the trick.  I also noticed I had to have Domain\username format in the domain admin box on meraki dashboard

PhilipDAth
Kind of a big deal
Kind of a big deal

The certificate should be located in the machine personal store.


@PhilipDAth wrote:

The certificate should be located in the machine personal store.


I added it to the personal store and I still got the same error.

PhilipDAth
Kind of a big deal
Kind of a big deal

Try giving the AD controller a reboot.

 

If the issue is still happening then it is probably something wrong with the certificate.

TL_Arwen
Getting noticed

I added the cert to the trusted store and I found out that I was putting in the wrong info into the portal. I thought that if my domain controller was say dc1.domain.com the short domain would be domain because that is the actual domain name. but I had to put the name of the DC in. Doesn't make sense in my eyes... So once I made that change, it worked.

Thanks for following up!

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels