07-14-2021 03:16 PM
Can you use the fqdn of the Active Directory Domain instead of specifying the FQDN of all the individual domain controllers you have in your domain.
For example use the config below:
[ad]
host=domain.com
instead of
[ad]
host=dc1.domain.com
host_2=dc2.domain.com
host_3=dc3.domain.com
It would make sense to create a SAN certificate (only for LDAPs) where you specify the dc’s in the SAN extension attribute of the certificate. And it should work I guess. The advantage here, is that you don’t need to specify the static domain controllers fqdn. Can Duo Proxy make use of this? Or is it really a requirement to specify the DC’s separately.
Solved! Go to Solution.
07-20-2021 08:23 AM
No, you need to specify the hosts individually by FQDN or IP.
However, if this is about enabling SSL in an [ad_client]
section, feel free to issue one cert with SANs for all your domain controllers. You enable SSL on the Duo proxy to DC connection by providing the CA information to the proxy (ssl_ca_certs_file
option mentioned here. If the Duo proxy has the CA chain for your SAN cert, and ssl_verify_hostname
is true (the default), and each of the DCs listed as hosts have a SAN in the cert that matches the host FQDNs specified, you should be fine.
07-20-2021 08:23 AM
No, you need to specify the hosts individually by FQDN or IP.
However, if this is about enabling SSL in an [ad_client]
section, feel free to issue one cert with SANs for all your domain controllers. You enable SSL on the Duo proxy to DC connection by providing the CA information to the proxy (ssl_ca_certs_file
option mentioned here. If the Duo proxy has the CA chain for your SAN cert, and ssl_verify_hostname
is true (the default), and each of the DCs listed as hosts have a SAN in the cert that matches the host FQDNs specified, you should be fine.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide