对 Azure Active Directory 域服务托管域的安全 LDAP 连接问题进行故障排除Troubleshoot secure LDAP connectivity issues to an Azure Active Directory Domain Services managed domain

使用轻型目录访问协议 (LDAP) 与 Azure Active directory 域服务 (Azure AD DS) 进行通信的应用程序和服务可以配置为使用安全 LDAPApplications and services that use lightweight directory access protocol (LDAP) to communicate with Azure Active Directory Domain Services (Azure AD DS) can be configured to use secure LDAP. 必须打开相应的证书和所需的网络端口,才能使安全 LDAP 正常工作。An appropriate certificate and required network ports must be open for secure LDAP to work correctly.

可借助本文排除 Azure AD DS 中的安全 LDAP 访问问题。This article helps you troubleshoot issues with secure LDAP access in Azure AD DS.

常见连接问题Common connection issues

如果使用安全 LDAP 连接到 Azure AD DS 托管域时遇到问题,请查看以下故障排除步骤。If you have trouble connecting to an Azure AD DS managed domain using secure LDAP, review the following troubleshooting steps. 在每个故障排除步骤之后,尝试再次连接到托管域:After each troubleshooting step, try to connect to the managed domain again:

  • 安全 LDAP 证书的证书颁发者链在客户端上必须受信任。The issuer chain of the secure LDAP certificate must be trusted on the client. 可以将根证书颁发机构 (CA) 添加到客户端上受信任的根证书存储以建立信任。You can add the Root certification authority (CA) to the trusted root certificate store on the client to establish the trust.
  • 验证托管域的安全 LDAP 证书具有“使用者”或“使用者可选名称”属性中的 DNS 名称 。Verify the secure LDAP certificate for your managed domain has the DNS name in the Subject or the Subject Alternative Names attribute.
  • 验证 LDAP 客户端(例如 ldp.exe)连接到安全 LDAP 终结点时使用的是 DNS 名称,而不是 IP 地址。Verify that the LDAP client, such as ldp.exe connects to the secure LDAP endpoint using a DNS name, not the IP address.
    • 应用到托管域的证书不包括服务的 IP 地址,只含有 DNS 名称。The certificate applied to the managed domain doesn't include the IP addresses of the service, only the DNS names.
  • 检查 LDAP 客户端连接到的 DNS 名称。Check the DNS name the LDAP client connects to. 它必须解析为托管域中安全 LDAP 的公共 IP 地址。It must resolve to the public IP address for secure LDAP on the managed domain.
    • 如果 DNS 名称解析为内部 IP 地址,则更新 DNS 记录以解析为外部 IP 地址。If the DNS name resolves to the internal IP address, update the DNS record to resolve to the external IP address.
  • 对于外部连接,网络安全组必须包含允许 internet 到 TCP 端口 636 的流量的规则。For external connectivity, the network security group must include a rule that allows the traffic to TCP port 636 from the internet.

后续步骤Next steps

如果仍有问题,请发起 Azure 支持请求以获得额外的疑难解答帮助。If you still have issues, open an Azure support request for additional troubleshooting assistance.