Merge pull request #104990 from TimShererWithAquent/us1679050a

[1679050] Update SSL references.

Author: PRMerger6

articles/active-directory-domain-services/join-windows-vm.md

@@ -71,7 +71,7 @@ If you already have a VM that you want to domain-join, skip to the section to [j
 
 1. By default, VMs created in Azure are accessible from the Internet using RDP. When RDP is enabled, automated sign in attacks are likely to occur, which may disable accounts with common names such as *admin* or *administrator* due to multiple failed successive sign in attempts.
 
-    RDP should only be enabled when required, and limited to a set of authorized IP ranges. This configuration helps improve the security of the VM and reduces the area for potential attack. Or, create and use an Azure Bastion host that allows access only through the Azure portal over SSL. In the next step of this tutorial, you use an Azure Bastion host to securely connect to the VM.
+    RDP should only be enabled when required, and limited to a set of authorized IP ranges. This configuration helps improve the security of the VM and reduces the area for potential attack. Or, create and use an Azure Bastion host that allows access only through the Azure portal over TLS. In the next step of this tutorial, you use an Azure Bastion host to securely connect to the VM.
 
     For now, disable direct RDP connections to the VM.
 

articles/active-directory-domain-services/tutorial-configure-ldaps.md

@@ -64,7 +64,7 @@ The certificate you request or create must meet the following requirements. Your
 * **Subject name** - The subject name on the certificate must be your managed domain. For instance, if your domain is named *aaddscontoso.com*, the certificate's subject name must be **.aaddscontoso.com*.
     * The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. Domain Controllers use random names and can be removed or added to ensure the service remains available.
 * **Key usage** - The certificate must be configured for *digital signatures* and *key encipherment*.
-* **Certificate purpose** - The certificate must be valid for SSL server authentication.
+* **Certificate purpose** - The certificate must be valid for TLS server authentication.
 
 There are several tools available to create self-signed certificate such as OpenSSL, Keytool, MakeCert, [New-SelfSignedCertificate][New-SelfSignedCertificate] cmdlet etc. In this tutorial, let's create a self-signed certificate for secure LDAP using the [New-SelfSignedCertificate][New-SelfSignedCertificate] cmdlet. Open a PowerShell window as **Administrator** and run the following commands. Replace the *$dnsName* variable with the DNS name used by your own managed domain, such as *aaddscontoso.com*:
 

articles/active-directory-domain-services/tutorial-create-management-vm.md

@@ -87,6 +87,7 @@ To get started, connect to the Windows Server VM as follows:
 
     ![Connect to Windows virtual machine using Bastion in the Azure portal](./media/join-windows-vm/connect-to-vm.png)
 
+    You can also [create and use an Azure Bastion host (currently in preview)][azure-bastion] to allow access only through the Azure portal over TLS.
 1. Enter the credentials for your VM, then select **Connect**.
 
    ![Connect through the Bastion host in the Azure portal](./media/join-windows-vm/connect-to-bastion.png)

articles/active-directory/authentication/concept-sspr-writeback.md

@@ -102,7 +102,7 @@ Password writeback is a highly secure service. To ensure your information is pro
    * After the service bus relay is created, a strong symmetric key is created that is used to encrypt the password as it comes over the wire. This key only lives in your company's secret store in the cloud, which is heavily locked down and audited, just like any other password in the directory.
 * **Industry standard Transport Layer Security (TLS)**
    1. When a password reset or change operation occurs in the cloud, the plaintext password is encrypted with your public key.
-   1. The encrypted password is placed into an HTTPS message that is sent over an encrypted channel by using Microsoft SSL certs to your service bus relay.
+   1. The encrypted password is placed into an HTTPS message that is sent over an encrypted channel by using Microsoft TLS/SSL certs to your service bus relay.
    1. After the message arrives in the service bus, your on-premises agent wakes up and authenticates to the service bus by using the strong password that was previously generated.
    1. The on-premises agent picks up the encrypted message and decrypts it by using the private key.
    1. The on-premises agent attempts to set the password through the AD DS SetPassword API. This step is what allows enforcement of your Active Directory on-premises password policy (such as the complexity, age, history, and filters) in the cloud.

articles/active-directory/authentication/howto-mfaserver-deploy-userportal.md

@@ -40,11 +40,11 @@ In either scenario, if the Azure Multi-Factor Authentication Web Service SDK is
 1. Open the Multi-Factor Authentication Server console.
 2. Go to the **Web Service SDK** and select **Install Web Service SDK**.
 3. Complete the install using the defaults unless you need to change them for some reason.
-4. Bind an SSL Certificate to the site in IIS.
+4. Bind a TLS/SSL Certificate to the site in IIS.
 
-If you have questions about configuring an SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](https://docs.microsoft.com/iis/manage/configuring-security/how-to-set-up-ssl-on-iis).
+If you have questions about configuring a TLS/SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](https://docs.microsoft.com/iis/manage/configuring-security/how-to-set-up-ssl-on-iis).
 
-The Web Service SDK must be secured with an SSL certificate. A self-signed certificate is okay for this purpose. Import the certificate into the “Trusted Root Certification Authorities” store of the Local Computer account on the User Portal web server so that it trusts that certificate when initiating the SSL connection.
+The Web Service SDK must be secured with a TLS/SSL certificate. A self-signed certificate is okay for this purpose. Import the certificate into the “Trusted Root Certification Authorities” store of the Local Computer account on the User Portal web server so that it trusts that certificate when initiating the TLS connection.
 
 ![MFA Server configuration setup Web Service SDK](./media/howto-mfaserver-deploy-userportal/sdk.png)
 
@@ -54,23 +54,23 @@ The following pre-requisites are required to install the user portal on the **sa
 
 * IIS, including ASP.NET, and IIS 6 meta base compatibility (for IIS 7 or higher)
 * An account with admin rights for the computer and Domain if applicable. The account needs permissions to create Active Directory security groups.
-* Secure the user portal with an SSL certificate.
-* Secure the Azure Multi-Factor Authentication Web Service SDK with an SSL certificate.
+* Secure the user portal with a TLS/SSL certificate.
+* Secure the Azure Multi-Factor Authentication Web Service SDK with a TLS/SSL certificate.
 
 To deploy the user portal, follow these steps:
 
 1. Open the Azure Multi-Factor Authentication Server console, click the **User Portal** icon in the left menu, then click **Install User Portal**.
 2. Complete the install using the defaults unless you need to change them for some reason.
-3. Bind an SSL Certificate to the site in IIS
+3. Bind a TLS/SSL Certificate to the site in IIS
 
    > [!NOTE]
-   > This SSL Certificate is usually a publicly signed SSL Certificate.
+   > This TLS/SSL Certificate is usually a publicly signed TLS/SSL Certificate.
 
 4. Open a web browser from any computer and navigate to the URL where the user portal was installed (Example: https://mfa.contoso.com/MultiFactorAuth). Ensure that no certificate warnings or errors are displayed.
 
 ![MFA Server User Portal installation](./media/howto-mfaserver-deploy-userportal/install.png)
 
-If you have questions about configuring an SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](https://docs.microsoft.com/iis/manage/configuring-security/how-to-set-up-ssl-on-iis).
+If you have questions about configuring a TLS/SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](https://docs.microsoft.com/iis/manage/configuring-security/how-to-set-up-ssl-on-iis).
 
 ## Deploy the user portal on a separate server
 
@@ -82,19 +82,19 @@ If your organization uses the Microsoft Authenticator app as one of the verifica
 * Install the user portal on an internet-facing web server running Microsoft internet Information Services (IIS) 6.x or higher.
 * When using IIS 6.x, ensure ASP.NET v2.0.50727 is installed, registered, and set to **Allowed**.
 * When using IIS 7.x or higher, IIS, including Basic Authentication, ASP.NET, and IIS 6 meta base compatibility.
-* Secure the user portal with an SSL certificate.
-* Secure the Azure Multi-Factor Authentication Web Service SDK with an SSL certificate.
-* Ensure that the user portal can connect to the Azure Multi-Factor Authentication Web Service SDK over SSL.
+* Secure the user portal with a TLS/SSL certificate.
+* Secure the Azure Multi-Factor Authentication Web Service SDK with a TLS/SSL certificate.
+* Ensure that the user portal can connect to the Azure Multi-Factor Authentication Web Service SDK over TLS/SSL.
 * Ensure that the user portal can authenticate to the Azure Multi-Factor Authentication Web Service SDK using the credentials of a service account in the "PhoneFactor Admins" security group. This service account and group should exist in Active Directory if the Azure Multi-Factor Authentication Server is running on a domain-joined server. This service account and group exist locally on the Azure Multi-Factor Authentication Server if it is not joined to a domain.
 
 Installing the user portal on a server other than the Azure Multi-Factor Authentication Server requires the following steps:
 
 1. **On the MFA Server**, browse to the installation path (Example: C:\Program Files\Multi-Factor Authentication Server), and copy the file **MultiFactorAuthenticationUserPortalSetup64** to a location accessible to the internet-facing server where you will install it.
 2. **On the internet-facing web server**, run the  MultiFactorAuthenticationUserPortalSetup64 install file as an administrator, change the Site if desired and change the Virtual directory to a short name if you would like.
-3. Bind an SSL Certificate to the site in IIS.
+3. Bind a TLS/SSL Certificate to the site in IIS.
 
    > [!NOTE]
-   > This SSL Certificate is usually a publicly signed SSL Certificate.
+   > This TLS/SSL Certificate is usually a publicly signed TLS/SSL Certificate.
 
 4. Browse to **C:\inetpub\wwwroot\MultiFactorAuth**
 5. Edit the Web.Config file in Notepad
@@ -107,7 +107,7 @@ Installing the user portal on a server other than the Azure Multi-Factor Authent
 
 6. Open a web browser from any computer and navigate to the URL where the user portal was installed (Example: https://mfa.contoso.com/MultiFactorAuth). Ensure that no certificate warnings or errors are displayed.
 
-If you have questions about configuring an SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](https://docs.microsoft.com/iis/manage/configuring-security/how-to-set-up-ssl-on-iis).
+If you have questions about configuring a TLS/SSL Certificate on an IIS server, see the article [How to Set Up SSL on IIS](https://docs.microsoft.com/iis/manage/configuring-security/how-to-set-up-ssl-on-iis).
 
 ## Configure user portal settings in the Azure Multi-Factor Authentication Server
 

articles/active-directory/authentication/howto-mfaserver-dir-ad.md

@@ -45,7 +45,7 @@ The following table describes the LDAP configuration settings.
 
 | Feature | Description |
 | --- | --- |
-| Server |Enter the hostname or IP address of the server running the LDAP directory.  A backup server may also be specified separated by a semi-colon. <br>Note: When Bind Type is SSL, a fully qualified hostname is required. |
+| Server |Enter the hostname or IP address of the server running the LDAP directory.  A backup server may also be specified separated by a semi-colon. <br>Note: When Bind Type is SSL (TLS), a fully qualified hostname is required. |
 | Base DN |Enter the distinguished name of the base directory object from which all directory queries start.  For example, dc=abc,dc=com. |
 | Bind type - Queries |Select the appropriate bind type for use when binding to search the LDAP directory.  This is used for imports, synchronization, and username resolution. <br><br>  Anonymous - An anonymous bind is performed.  Bind DN and Bind Password are not used.  This only works if the LDAP directory allows anonymous binding and permissions allow the querying of the appropriate records and attributes.  <br><br> Simple - Bind DN and Bind Password are passed as plain text to bind to the LDAP directory.  This is for testing purposes, to verify that the server can be reached and that the bind account has the appropriate access. After the appropriate cert has been installed, use SSL instead.  <br><br> SSL - Bind DN and Bind Password are encrypted using SSL to bind to the LDAP directory.  Install a cert locally that the LDAP directory trusts.  <br><br> Windows - Bind Username and Bind Password are used to securely connect to an Active Directory domain controller or ADAM directory.  If Bind Username is left blank, the logged-on user's account is used to bind. |
 | Bind type - Authentications |Select the appropriate bind type for use when performing LDAP bind authentication.  See the bind type descriptions under Bind type - Queries.  For example, this allows for Anonymous bind to be used for queries while SSL bind is used to secure LDAP bind authentications. |

articles/active-directory/authentication/howto-mfaserver-dir-ldap.md

@@ -34,8 +34,8 @@ To configure LDAP authentication, install the Azure Multi-Factor Authentication
 
    ![LDAP Authentication in MFA Server](./media/howto-mfaserver-dir-ldap/ldap2.png)
 
-3. On the Clients tab, change the TCP port and SSL port if the Azure Multi-Factor Authentication LDAP service should bind to non-standard ports to listen for LDAP requests.
-4. If you plan to use LDAPS from the client to the Azure Multi-Factor Authentication Server, an SSL certificate must be installed on the same server as MFA Server. Click **Browse** next to the SSL certificate box, and select a certificate to use for the secure connection.
+3. On the Clients tab, change the TCP port and SSL (TLS) port if the Azure Multi-Factor Authentication LDAP service should bind to non-standard ports to listen for LDAP requests.
+4. If you plan to use LDAPS from the client to the Azure Multi-Factor Authentication Server, an TLS/SSL certificate must be installed on the same server as MFA Server. Click **Browse** next to the SSL (TLS) certificate box, and select a certificate to use for the secure connection.
 5. Click **Add**.
 6. In the Add LDAP Client dialog box, enter the IP address of the appliance, server, or application that authenticates to the Server and an Application name (optional). The Application name appears in Azure Multi-Factor Authentication reports and may be displayed within SMS or Mobile App authentication messages.
 7. Check the **Require Azure Multi-Factor Authentication user match** box if all users have been or will be imported into the Server and subject to two-step verification. If a significant number of users have not yet been imported into the Server and/or are exempt from two-step verification, leave the box unchecked. See the MFA Server help file for additional information on this feature.
@@ -76,4 +76,4 @@ To configure the LDAP client, use the guidelines:
 
 * Configure your appliance, server, or application to authenticate via LDAP to the Azure Multi-Factor Authentication Server as though it were your LDAP directory. Use the same settings that you would normally use to connect directly to your LDAP directory, except for the server name or IP address, which will be that of the Azure Multi-Factor Authentication Server.
 * Configure the LDAP timeout to 30-60 seconds so that there is time to validate the user’s credentials with the LDAP directory, perform the second-step verification, receive their response, and respond to the LDAP access request.
-* If using LDAPS, the appliance or server making the LDAP queries must trust the SSL certificate installed on the Azure Multi-Factor Authentication Server.
+* If using LDAPS, the appliance or server making the LDAP queries must trust the TLS/SSL certificate installed on the Azure Multi-Factor Authentication Server.