SpyCloud Guides
spycloud.comGet a demo
Start typing to search…

LDAPS Configuration

Available in ADG v7.4+

Configure LDAPS for Active Directory Guardian (ADG)

The latest version of ADG eliminates LDAP protocol fallback. Admins must explicitly select LDAPS-only (secure) or LDAP-only at install or in settings. If the chosen mode does not allow a valid connection, scans and installs will not run until corrected. Clear error messages guide admins in enforcing encrypted directory connections and reducing misconfiguration risk.

Key functionality

  • No fallback: ADG will not downgrade from LDAPS to LDAP or vice versa.
  • Explicit mode selection: Choose LDAPS-only (secure) or LDAP-only at install or in Settings.
  • Validation built-in: If ADG cannot connect in the selected mode, scans and installs cannot proceed until the connection is valid.

Default behavior: If you make no changes, ADG continues operating in LDAP-only (port 389).

Modes at a glance

ModeEncryptionPortFallback
LDAPS-onlyYes636None
LDAP-onlyNo389None

Known limitation: If LDAPS-only is enforced but your domain controllers don’t accept secure connections, ADG will fail to connect (by design).

Enable LDAPS

Option A — During Install

  1. Run the installer from the latest version of ADG.
  2. When prompted for directory connection, select Enforce LDAPS (secure channel only).
  3. Complete the installer. ADG validates LDAPS connectivity before continuing.
  4. You'll have to paste in your domain when setting up when you choose this option due to security limitations.

Option B — Post-Install (Settings)

  1. In ADG, go to Settings → Essentials → LDAP.
  2. Select LDAPS-only (secure).
  3. Save to trigger a connectivity check.

Permissions: The ADG service account requirements do not change for LDAPS. Use the same account you use for LDAP.

Error messages you may see

Install-time failure

Installation Error: The account you provided to run SpyCloud Active Directory Guardian does not have permission to replicate data from Active Directory or is unable to connect using the selected LDAP connection mode.

Post-install save failure (toast)

The local Active Directory domain doesn’t appear to be accessible in LDAPS mode. Please review certificate trust, firewall rules, or domain controller configuration.

Troubleshooting

Certificate trust

Ensure DCs present a valid Server Authentication cert trusted by the ADG host.

Firewall/ports

Verify TCP 636 is open between ADG and your DCs.

Target DCs

If you restrict DCs by name/IP, confirm those hosts accept LDAPS.

Account & rights

Confirm the ADG service account can connect/bind and replicate as required.

TLS inspection

Disable middleboxes that break TLS to DCs.

How to get the update

Download the installer and documentation for the latest version from the SpyCloud Enterprise Portal → Software Downloads.

Updated about 1 month ago