In a locked down environment, i'v tried to add another domain by manually specifying LDAP connection. Following ports were were allowed to another domain's DC's:
* 636 (for LDAPS)
* 3269 (for Global Catalog)
* 88 (For Kerberos)
Connection was added
1. LDAP Path: LDAP://int.domain1.local:636/DC=int,DC=domain1,DC=local
2. Authentication Type used Encryption and Secure.
3. Test LDAP Connection sucesfulyl succeeds.
However queries were not working, were timing out. Having recorded a trace, turns out LDAPCP wants to use UDP 389 (CLDAP) port to query such LDAP query:
```
...
+ Udp: SrcPort = 49655, DstPort = LDAP(389), Length = 166
Cldap: (CLDAP)Search Request, MessageID: 34031, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases
- LDAPMessage: Search Request, MessageID: 34031
+ ParserHeader:
+ MessageID: 34031
+ OperationHeader: Search Request, 3(0x3)
- SearchRequest: BaseDN: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases
+ BaseObject: NULL
+ Scope: base Object
+ Alias: neverDerefAliases
+ SizeLimit: No Limit
+ TimeLimit: No Limit
+ TypesOnly: False
+ Filter: (&(DnsDomain=int.domain1.local)(Host=hostname)(NtVer=16:00:00:00)(DnsHostName=hostname.domain2.local))
+ Attributes: ( Netlogon )
```
I suspect this is because of this in SetLDAPConnections: ``` directoryEntries[i++] = Domain.GetComputerDomain().GetDirectoryEntry(); ```
This SO Question confirms that this method issues queries without [SSL: How to use SSL for System.DirectoryServices.ActiveDirectory?](http://stackoverflow.com/questions/12510697/how-to-use-ssl-for-system-directoryservices-activedirectory)
After opening 389 UDP port, People Picker can now find users/groups in another domain and doesn't time out.
Could you consider making connection to SharePoint domain in another way, so we don't have to depend on non-secure 389 port?
Comments: Hello Ivan, I have a question for you regarding the LDAPCP solution. I deployed it on my sharePoint farms and it works great over the 389 port. However when I try to establish a connection over the 636 port as a secure LDAP then it does not connect at all. It only spins and spins and nothing happens at all. That is when I try to test the connection. We tried so many LDAP paths with different servers and it simply does want to create a connection with selecting options over the port 636. I followed the connection path and authentication type as suggested above with selecting "Secure" and "Encryption". From this blog I see that the poster did not have a problem to create a connection over the 636 port although he had problems to run queries. So my problem is even before I start to query the LDAP. Also, I have a question about the authentication types. There is one missing which is the "SSL" or "SecureSocketsLayer". Why is this type missing as an option to check it? Would not it be a crucial type when you are trying to create a secure LDAP connection? Could you help me to see how to troubleshoot this please? Additionally, how could I create a connection using the Kerberos connection? I really need to make this work since this is deployed in a very secure environment and the connection over the 389 port is not acceptable. I can test any newly written solution since I have an environment for that. thank you for your time and help. Best regards Libor
* 636 (for LDAPS)
* 3269 (for Global Catalog)
* 88 (For Kerberos)
Connection was added
1. LDAP Path: LDAP://int.domain1.local:636/DC=int,DC=domain1,DC=local
2. Authentication Type used Encryption and Secure.
3. Test LDAP Connection sucesfulyl succeeds.
However queries were not working, were timing out. Having recorded a trace, turns out LDAPCP wants to use UDP 389 (CLDAP) port to query such LDAP query:
```
...
+ Udp: SrcPort = 49655, DstPort = LDAP(389), Length = 166
Cldap: (CLDAP)Search Request, MessageID: 34031, BaseObject: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases
- LDAPMessage: Search Request, MessageID: 34031
+ ParserHeader:
+ MessageID: 34031
+ OperationHeader: Search Request, 3(0x3)
- SearchRequest: BaseDN: NULL, SearchScope: base Object, SearchAlias: neverDerefAliases
+ BaseObject: NULL
+ Scope: base Object
+ Alias: neverDerefAliases
+ SizeLimit: No Limit
+ TimeLimit: No Limit
+ TypesOnly: False
+ Filter: (&(DnsDomain=int.domain1.local)(Host=hostname)(NtVer=16:00:00:00)(DnsHostName=hostname.domain2.local))
+ Attributes: ( Netlogon )
```
I suspect this is because of this in SetLDAPConnections: ``` directoryEntries[i++] = Domain.GetComputerDomain().GetDirectoryEntry(); ```
This SO Question confirms that this method issues queries without [SSL: How to use SSL for System.DirectoryServices.ActiveDirectory?](http://stackoverflow.com/questions/12510697/how-to-use-ssl-for-system-directoryservices-activedirectory)
After opening 389 UDP port, People Picker can now find users/groups in another domain and doesn't time out.
Could you consider making connection to SharePoint domain in another way, so we don't have to depend on non-secure 389 port?
Comments: Hello Ivan, I have a question for you regarding the LDAPCP solution. I deployed it on my sharePoint farms and it works great over the 389 port. However when I try to establish a connection over the 636 port as a secure LDAP then it does not connect at all. It only spins and spins and nothing happens at all. That is when I try to test the connection. We tried so many LDAP paths with different servers and it simply does want to create a connection with selecting options over the port 636. I followed the connection path and authentication type as suggested above with selecting "Secure" and "Encryption". From this blog I see that the poster did not have a problem to create a connection over the 636 port although he had problems to run queries. So my problem is even before I start to query the LDAP. Also, I have a question about the authentication types. There is one missing which is the "SSL" or "SecureSocketsLayer". Why is this type missing as an option to check it? Would not it be a crucial type when you are trying to create a secure LDAP connection? Could you help me to see how to troubleshoot this please? Additionally, how could I create a connection using the Kerberos connection? I really need to make this work since this is deployed in a very secure environment and the connection over the 389 port is not acceptable. I can test any newly written solution since I have an environment for that. thank you for your time and help. Best regards Libor