Active Directory (AD) and LDAP failures on Flex Appliance if the certificate common name (CN) is not the Fully Qualified Domain Name (FQDN)

Problem:

You can't sign in to the Flex Appliance Console with a remote user (AD or LDAP), and importing remote users or groups fails.

Error Message:

When you attempt to sign in to the appliance with a remote user, the following message appears:
"V-492-100-104: Invalid user credentials."

When you attempt to import a remote user or group, the following message appears:
"V-492-502-16: Unable to contact remote directory server."

Cause:

Flex Appliance versions earlier than 6.2 require that the domain controller's (DC) certificate has the Fully Qualified Domain Name (FQDN) in the Common Name (CN) field. If it has the short name (for example, host1) instead of FQDN (for example, host1.example.com), connection or validation errors occur.
These errors occur because Flex Appliance uses strict hostname matching during SSL or TLS certificate validation. If the CN does not exactly match the server's FQDN, the connection is rejected as a security measure.

Solution:

Make sure that the domain controller server's FQDN is present in the CN field of the remote domain's certificate. If the domain controller has more than one certificate, make sure that the domain controller server's FQDN is present in the CN field of all of them.

Note:

Starting with Flex version 6.2, the requirement to have the FQDN in the CN field is removed. Instead, the certificate's Subject Alternative Name (SAN) must match the domain controller server FQDN name or the IP address that you entered when you connected to the domain.

The appliance checks the SAN field at the time of the connection. If the value is present, the connection is allowed: otherwise, it fails.
Flex version 6.2 also lets you upload AD-SSL certificates through the Flex Appliance Console (User Management -> Edit remote user domain) so that you can provide a valid certificate of your choice.