Ensure authentication after Microsoft ADV190023 update

If you're using Microsoft Active Directory with enabled channel binding and LDAP signing, you must take additional steps to ensure that Google Cloud Directory Sync (GCDS) authenticates using LDAP over SSL. Otherwise, GCDS won’t connect to Active Directory and your synchronizations will fail. You need to take these steps even if you previously ran a sync using Standard LDAP authentication.

If you're already successfully using LDAP over SSL, you don't need to take any steps. For details on Microsoft advisory ADV190023, see the Microsoft website.

Step 1: Enable TLS in Active Directory

Note: The terms TLS and SSL are often used interchangeably. 

To enable TLS in Active Directory, see the following Microsoft articles:

Step 2: Ensure that the certificate is trusted

The Certificate Authority (CA) that signed your domain controller’s certificate must be trusted by GCDS. Most well-known internet CAs, such as Verisign, Comodo, and Let's Encrypt, are trusted. If you use these CAs, you can skip this step. 

If your CA is not trusted or if you're using your own root CA, follow the steps in Troubleshoot certificate-related errors.

Step 3: Set up Configuration Manager

  1. Open Configuration Manager and go to the LDAP Configuration page.
  2. For the Connection type setting, specify LDAP+SSL.
  3. For the Port setting, specify 636 (if you previously used 389) or 3269 (if you previously used 3268). 
  4. Click Test connection

Step 4: (Optional) Troubleshoot

If your sync has slowed down, see I switched to LDAP+SSL and now my sync is slow.

If you're seeing errors, see Troubleshoot certificate-related errors.

Related topics


  Google, G Suite, and related marks and logos are trademarks of Google LLC. All other company and product names are trademarks of the companies with which they are associated.
Was this helpful?
How can we improve it?