Beware of activating LDAP Signing on Windows Domain Controllers

[vpx]

Maybe you are also in the process of hardening your Active Directory.

When you activate LDAP Signing on the domain controller this might break the OpenVPN connections for your users if you have configured LDAP connections to your DC via simple binds.

Sample error message in the OpenVPN Connect client:

Code Select Expand

⏎[Aug 20, 2025, 08:55:52] AUTH_FAILED
⏎[Aug 20, 2025, 08:55:52] EVENT: AUTH_FAILED ⏎[Aug 20, 2025, 08:55:52] EVENT: DISCONNECTED ⏎
The server log is more detailed and shows:

Code Select Expand

2025-08-20T08:55:52 Warning openvpn user 'ACME_HANNEBAMBEL' could not authenticate.
2025-08-20T08:55:52 Error openvpn LDAP bind error [00002028: LdapErr: DSID-0C090330, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v4f7c; Strong(er) authentication required]

Because LDAP Signing seems to be a Microsoft specific thing, see also LDAP Wiki we need to upgrade the connection from LDAP to LDAPS.

You need these prerequisites in the OPNsense configuration before you should enable LDAP Signing on your DC so you won't break your OpenVPN connections (which are using OpenLDAP for authentication).

1. (Self-signed) CA root certificate from the DC copied to "System: Trust: Authorities" on OPNsense ("Import an existing Certificate Authority").

Tutorials how to create a CA root certificate on the DC (without the server role "Active Directory Certificate Services") can be found here:

https://gist.github.com/magnetikonline/0ccdabfec58eb1929c997d22e7341e45
https://schweigerstechblog.de/ldaps-ohne-windows-ca-aktivieren-microsoft/ (German)

Make sure the private key is not of the type "BEGIN ENCRYPTED PRIVATE KEY" because then you will get the following error in OPNsense:

You cannot view this attachment.

("Invalid private key provided")

You can decrypt the key in OpenSSL like this (it will ask for the password):

Code Select Expand

openssl rsa -in ca.key -out ca_plain.key
If you forget to add the CA certificate you will get this error when you test your credentials:

You cannot view this attachment.

("error: error:0A000086:SSL routines::certificate verify failed (unable to get local issuer certificate")

2. Modify the existing server in "System: Access: Servers" to use either "StartTLS" or "SSL - Encrypted" instead of "TCP - Standard" in "Transport".

You cannot view this attachment.

3. Make sure you are using the FQDN of the DC as the hostname instead of an IP address. Otherwise you will get the following error when you test your credentials:

You cannot view this attachment.

("error: TLS: hostname does not match name in peer certificate")