已知问题:Azure Active Directory 域服务中的安全 LDAP 警报Known issues: Secure LDAP alerts in Azure Active Directory Domain Services

使用轻型目录访问协议 (LDAP) 与 Azure Active directory 域服务 (Azure AD DS) 进行通信的应用程序和服务可以配置为使用安全 LDAPApplications and services that use lightweight directory access protocol (LDAP) to communicate with Azure Active Directory Domain Services (Azure AD DS) can be configured to use secure LDAP. 必须打开相应的证书和所需的网络端口,才能使安全 LDAP 正常工作。An appropriate certificate and required network ports must be open for secure LDAP to work correctly.

本文可帮助你了解和解决 Azure AD DS 中的安全 LDAP 访问的常见警报。This article helps you understand and resolve common alerts with secure LDAP access in Azure AD DS.

AADDS101:安全 LDAP 网络配置AADDS101: Secure LDAP network configuration

警报消息Alert message

已为托管域启用 Internet 上的安全 LDAP。但是,访问端口 636 未使用网络安全组锁定。这样可能会使托管域上的用户帐户遭到密码暴力攻击。Secure LDAP over the internet is enabled for the managed domain. However, access to port 636 is not locked down using a network security group. This may expose user accounts on the managed domain to password brute-force attacks.

解决方法Resolution

启用安全 LDAP 时,建议创建可将入站 LDAPS 访问限制为特定 IP 地址的其他规则。When you enable secure LDAP, it's recommended to create additional rules that restrict inbound LDAPS access to specific IP addresses. 这些规则可保护托管域免受暴力攻击。These rules protect the managed domain from brute force attacks. 若要更新网络安全组以限制对安全 LDAP 的 TCP 端口 636 访问,请完成以下步骤:To update the network security group to restrict TCP port 636 access for secure LDAP, complete the following steps:

  1. 在 Azure 门户中,搜索并选择“网络安全组”。In the Azure portal, search for and select Network security groups.
  2. 选择与托管域相关联的网络安全组,例如 AADDS-contoso.com-NSG,然后选择“入站安全规则”Choose the network security group associated with your managed domain, such as AADDS-contoso.com-NSG, then select Inbound security rules
  3. 选择“+添加”,为 TCP 端口 636 创建规则。Select + Add to create a rule for TCP port 636. 如果需要,请在窗口中选择“高级”以创建规则。If needed, select Advanced in the window to create a rule.
  4. 对于“源”,请从下拉菜单中选择“IP 地址”。For the Source, choose IP Addresses from the drop-down menu. 输入要为安全 LDAP 流量授予访问权限的源 IP 地址。Enter the source IP addresses that you want to grant access for secure LDAP traffic.
  5. 选择“任意”作为目标,然后为目标端口范围输入“636”。Choose Any as the Destination, then enter 636 for Destination port ranges.
  6. 将协议设置为“TCP”,将操作设置为“允许”。Set the Protocol as TCP and the Action to Allow.
  7. 指定规则的优先级,然后输入名称,例如 RestrictLDAPS。Specify the priority for the rule, then enter a name such as RestrictLDAPS.
  8. 准备就绪后,选择“添加”以创建规则。When ready, select Add to create the rule.

托管域的运行状况会在两小时内自动更新,并删除警报。The managed domain's health automatically updates itself within two hours and removes the alert.

提示

TCP 端口 636 不是 Azure AD DS 平稳地运行所需的唯一规则。TCP port 636 isn't the only rule needed for Azure AD DS to run smoothly. 若要了解详细信息,请参阅 Azure AD DS 网络安全组和必需端口To learn more, see the Azure AD DS Network security groups and required ports.

AADDS502:安全 LDAP 证书即将到期AADDS502: Secure LDAP certificate expiring

警报消息Alert message

托管域的安全 LDAP 证书将于 [date] 到期。The secure LDAP certificate for the managed domain will expire on [date]].

解决方法Resolution

通过执行创建安全 LDAP 证书的步骤来创建替换安全 LDAP 证书。Create a replacement secure LDAP certificate by following the steps to create a certificate for secure LDAP. 向 Azure AD DS 应用替换证书,并将证书分发给使用安全 LDAP 连接的任何客户端。Apply the replacement certificate to Azure AD DS, and distribute the certificate to any clients that connect using secure LDAP.

后续步骤Next steps

如果仍有问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you still have issues, open an Azure support request for additional troubleshooting assistance.