How to Confirm or Enable LDAP/SSL for Azure AD Connect?

Microsoft has an advisory that states they will be prepping LDAP/SSL (LDAPS). https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

While Microsoft doesnt specifically list instructions to setup LDAP/SSL for Azure AD Connect, there is reference to LDAP/SSL (LDAPS) being used in article: https://docs.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports

• Is there a way to verify if Azure AD Connect is already using LDAP/SSL?
• Is there a way to configure Azure AD Connect to only use LDAP/SSL?

Thank you

Solution 1:

Stumbled across your post looking for the same information. I think it's as below but yet to test.

Under Synchronisation Service Manager > Connectors select your domain connector > Properties. Under "Connect to Active Directory Forest" you have an options button, untick "Sign & Encrypt LDAP traffic" and select "Enable SSL for the Connection".

Solution 2:

In case somebody else is struggling... I faced the same problem and got the error message "An error was encountered trying to retrieve the SSL cipher strength" when trying to enable LDAP via SSL.

I had to change the settings under "Synchronisation Service Manager > Connectors select your domain connector > Properties". Under "Configure Directory Partitions" you have an options button next to "Configure Connection Security", untick "Sign & Encrypt LDAP traffic" and select "Enable SSL for the Connection" (+Enable CRL Checking, which should be obviously yes if you are using cert based authentication :-).

Wireshark confirmed the setting and my traffic is now encrypted via TLSv1.2 between Azure AD Connect Server and the DC.