Issues with LDAPS Configuration in SOTI MobiControl

As part of enhancing security, SOTI MobiControl supports connecting to directory services using LDAPS (LDAP over SSL). However, if the transition from LDAP (port 389) to LDAPS (port 636) is not correctly configured, it can lead to authentication failures, particularly for users logging into the SOTI MobiControl Management Console or enrolling devices using directory-based authentication.

• SOTI MobiControl by default is set to use LDAP on port 389. Updating to LDAPS requires the use of port 636.
• Configuring a new directory connection via secure LDAP (LDAPs)

• Users are unable to log in to the SOTI MobiControl Management Console. Errors may be observed during authentication attempts using directory-based login methods.

• LDAP-based device enrollments may also fail.

To avoid similar issues during future transitions:

• Always validate port and SSL settings after changing directory configurations.

• Use ldp.exe or similar tools to confirm secure connectivity before deploying configuration changes.

• Maintain proper certificate distribution and trust chain across all involved servers.

The connection configuration within SOTI MobiControl has not been updated to reflect the secure LDAPS protocol:

• Port remains set to 389 (default for insecure LDAP).

• SSL is not enabled in the directory settings.

1. Update Directory Connection Settings in SOTI MobiControl.

1. Open the SOTI MobiControl Management Console.

2. Navigate to:
   Global Settings ➔ Authentication Options

3. Locate the existing LDAP configuration entry.

4. Update the following:

   • Port: Change from 389 to 636.

   • Enable SSL: Check the option to enable secure LDAPS communication.

5. Save the changes.

2. Test the LDAPS Configuration.

After updating the settings:

• Attempt a login using directory credentials.

• Verify successful authentication and enrollment functions.

3. Verify Network Connectivity with LDAPS.

Use the built-in ldp.exe tool to test LDAPS communication from all Deployment Servers and Management Servers:

1. Launch ldp.exe (part of Microsoft RSAT tools).

2. Connect to the LDAP server:

   • Server: FQDN of the LDAP server

   • Port: 636

   • SSL: Enabled (checkbox selected)

3. Confirm successful bind.

If the connection fails:

• Ensure that the SSL certificate used by the LDAP server is valid and trusted.

• The Certificate Authority that issued the certificate should be:

  • Present in the Personal certificate store on the LDAP server.

  • Trusted on all DS/MS servers (under Trusted Root Certification Authorities).

Incorrect LDAPS configuration directly affects:

• User authentication in the Management Console.

• Device enrollments relying on directory-based authentication.

Ensuring secure and correct LDAPS configuration is essential for maintaining uninterrupted access and proper security posture.