Ssl – Active Directory LDAPS and Java 181 LDAPS Verification

Java 8u181 (Java 8 Update 181) enhances security around LDAPS connections:

Change: Improve LDAP support Endpoint identification has been enabled
on LDAPS connections. To improve the robustness of LDAPS (secure LDAP
over TLS ) connections, endpoint identification algorithms have been
enabled by default. Note that there may be situations where some
applications that were previously able to successfully connect to an
LDAPS server may no longer be able to do so. Such applications may, if
they deem appropriate, disable endpoint identification using a new
system property:
com.sun.jndi.ldap.object.disableEndpointIdentification. Define this
system property (or set it to true) to disable endpoint identification
algorithms. JDK-8200666 (not public)

One of these enhancements seem to be checking that the domain name is on the certificate. However, the default behavior of Active Directory seems to be to only have the name for the AD server that happens to be returned under the many A records of the AD domain name – and it seems rare that clients will support a list of hosts.

I also see this pattern outside of Java (i.e. Go programs will check this now as well see Go 1.10 release notes on Certificate.Verify).

There is a somewhat intimidating technet article on getting names on the cert in a way that will be renewed: https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/

I'm sure I'm not the only one here running into this:

1. Has anyone had success in either adding the name to the cert, or maybe using a load balancer in front of LDAPS for generic non-AD specific LDAP clients?
2. Does anyone know if Microsoft is on this issue in any way that might have changes coming in the future that make "disable verification and wait" a sane tactic?