Author Topic: Connecting to AD for VPN Authentication (Read 119 times)

michaelsage · « **on:** November 01, 2024, 11:03:36 am »

Hi,

This was working until recently, I thought I'd found an issue with a cert, but turns out it wasn't the issue. I am trying to authenticate against Windows AD (functional level 2016). Everything looks ok, certs and config, but when I use the tester, I get the following error:

LDAP bind error [error:0A000086:SSL routines::certificate verify failed (CA signature digest algorithm too weak); Can't contact LDAP server]

I don't really know where to look. For now I have set our VPN to use local users but I'd like to go back to AD if possible. Any ideas?

Thanks!

Patrick M. Hausen · « **Reply #1 on:** November 01, 2024, 11:50:42 am »

You can use stunnel to connect to your DC over LDAPS, port 636 ignoring cert validity and present an unencrypted LDAP socket at 127.0.0.1:389. Then use this for OpenVPN. No unencrypted packet leaves the firewall.

I got tired of messing with the idiosyncrasies of Windows and certificates. Has been running stably for years.

michaelsage · « **Reply #2 on:** November 01, 2024, 03:55:11 pm »

That sounds interesting. I'll take a look. Thanks!

michaelsage · « **Reply #3 on:** November 01, 2024, 04:04:11 pm »

Well that took about 2 mins to get working! Thank you very much!

Author Topic: Connecting to AD for VPN Authentication (Read 119 times)

michaelsage

Connecting to AD for VPN Authentication

Patrick M. Hausen

Re: Connecting to AD for VPN Authentication

michaelsage

Re: Connecting to AD for VPN Authentication

michaelsage

Re: Connecting to AD for VPN Authentication