MICROSOFT LDAP SERVER SCR CREATION & SSL CERTIFICATE INSTALLATION
Applies to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Note: Before you install a certification authority (CA), you should be aware that you are creating or extending a public key infrastructure (PKI). Be sure to design a PKI that is appropriate for your organization.
ENABLING LDAPS FOR DOMAIN CONTROLLERS USING A MULTI-TIER CA HIERARCHY
When you have a multi-tier (such as a two-tier or three-tier) CA hierarchy, you will not automatically have the appropriate certificate for LDAPS authentication on the domain controller. In order to enable LDAPS in a multi-tier CA hierarchy, you must request a certificate that meets the following requirements:
Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 22.214.171.124.126.96.36.199.1
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate .
The host machine account must have access to the private key.
PUBLISHING A CERTIFICATE THAT SUPPORTS SERVER AUTHENTICATION
1. On the issuing Certification Authority computer, open the Certificates console or Certsrv console. To open Certsrv, click Start. Type certsrv.msc and then click OK.
2. Ensure that Certification Authority is expanded as well as the name of the certification authority.
3. Right-click Certificate Templates and then click Manage.
4. In the Certificate Templates Console, right-click Kerberos Authentication and then select Duplicate Template. You don’t have to use the Kerberos template. You can create your own or use one of the existing templates that has Server Authentication as a purpose, such as Domain Controller Authentication, Domain Controller, Web Server, and Computer.
Note: You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the Active Directory Domain Services Certificate Storage.
5. On the Duplicate Template dialog box, leave the default selected Windows Server 2003 Enterprise selected and then click OK.
6. The Properties of New Template appear. Ensure that settings are as you want them to be for this certificate template. Pay close attention to ensure that the Template display name is set to an appropriate name along with the following settings:
- Validity and Renewal periods are set according to your organization’s security policy.
- Key lengths are appropriate.
- Select whether you want to place the certificate in Active Directory.
- Subject Name tab: DNS name and Service principal name (SPN) are selected.
- If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.
7. Click OK.
8. Return to the Certificates or Certsrv console and in the details pane of Certificate Templates, right-click an open area of the console, click New, and then click Certificate Template to Issue.
9. In the Enable Certificate Templates dialog box, select the name of the new template you created and then click OK.
REQUESTING A CERTIFICATE FOR SERVER AUTHENTICATION
- To request a certificate from your LDAPSL server, do the following on each domain controller that requires LDAPS connections:
1. Open the Certificates console. Click Start, type MMC, and then press ENTER. If prompted by User Account Control, ensure it displays the action you want and then click Yes.
2. In the MMC console that opens (typically Console1), click File and then click Add/Remove Snap-in.
3. In Add or Remove Snap-ins under Available Snap-ins, click Certificates, and then click Add.
4. In Certificates snap-in select Computer account and then click Next.
5. In Select Computer, if you are managing the LDAP server requiring the certificate, select Local. Otherwise, select Another computer and click Browse to locate the LDAP server requiring the certificate.
6. Once you have the correct computer selected, click OK and then click Finish.
7. In Add or Remove Snap-ins, click OK.
8. In the console tree, expand Certificates (<computer>)
9. Right click Certificates, click All Tasks, and then click Request New Certificate.
10. In Certificate Enrollment, click Next.
11. In the Select Certificate Enrollment Policy, typically you would leave the default of Active Directory Enrollment Policy. If you have a different policy that you should follow, then select that one and click Next.
12. Select a certificate that allows for server authentication, Kerberos works. Click Enroll.
13. On the Certificate Enrollment dialog box, click Finish.
14. In the results pane double-click the certificate that you received to open the Certificate properties dialog box.
15. Click the Details tab, in the Field column, select Enhanced Key Usage. Confirm that Server Authentication (188.8.131.52.184.108.40.206.1).
ENABLING LDAPS FOR CLIENT AUTHENTICATION
Enabling LDAPS on the client is not necessary to protect credentials passed from the client to the server when LDAPS is already enabled on the server. This just allows the client to actually authenticate itself to the server – an extra layer of protection to ensure that the client connecting as COMPUTER_X is actually COMPUTER_X and not some other computer trying to authenticate with COMPUTER_X credentials. The client must be using a certificate from a CA that the LDAP server trusts. Client certificates and AD DS accounts are mapped using altSecurityIdentities, which can be done through various methods. For more information on those methods, see How to map a user to a certificate via all the methods available in the altSecurityIdentities attribute. Certificates are presented to the server during the Transport Layer Security (TLS) key exchange. To enable LDAPS authentication for the client, ensure the certificate is placed in the personal store for the user account.
EXPORTING THE LDAPS CERTIFICATE AND IMPORTANT FOR USE WITH AD DS
The following steps will demonstrate how to export an LDAPS enabled certificate from a domain controller computer’s local certificate store to the Active Directory Domain Services service certificate store (NTDS\Personal). You will have to perform this step for each domain controller that has multiple certificates with the enabled use of Server Authentication. These certificates will have to be manually renewed when they expire and only works starting with Windows Server 2008 domain controllers, as that was the first Windows Server operating system release in which the NTDS was separated out as its own service.
1. Click Start, type mmc and then click OK.
2. Click File and then click Add/Remove Snap-in.
3. Click Certificates and then click Add.
4. In Certificates snap-in select Computer account and then click Next.
5. In Select Computer, if you are working at the LDAP server requiring the certificate, select Local. Otherwise, select Another computer and click Browse to locate the LDAP server requiring the certificate.
6. Once you have the correct computer selected, click OK and then click Finish. In Add or Remove Snap-ins, click OK.
7. In the console tree, expand Certificates (<computer>)
8. In the certificates console of a computer that contains a certificate that can be used for Server Authentication, right-click the certificate, click All Tasks, and then click Export.
9. On the Certificate Export Wizard welcome screen, click Next.
10. On the Export Private Key screen, select Yes, export the private key and then click Next. If you don’t have the option to export the private key, then the certificate template did not allow the exporting of the private key.
11. On the Export File Format screen, you should select Export all extended properties. The other selections are optional.
12. On the Password screen, enter a password that you want to be used when the certificate is imported. You will have to type the password twice: once in the Password box and then again in the Type and confirm password (mandatory) box. Then, click Next.
13. On the File to Export screen, enter a path, file name, and .pfx file extension in the File name box and then click Next.
14. Confirm the settings on the completion screen and then click Finish. You should see a pop-up message indicating that the export was successful. Click OK.
15. Click File and then click Add/Remove Snap-in.
16. Click Certificates and then click Add.
17. Select Service account and then click Next.
18. In the Select Computer dialog box, ensure that you target the appropriate computer. If you are running the Microsoft Management Console (MMC) and want to target the local computer, you can leave the default selection of Local computer. Otherwise, select Another computer and then use the Browse button to select the appropriate computer. Then click Next.
19. Select Active Directory Domain Services and then click Finish.
20. On the Add or Remove Snap-ins dialog box click OK.
21. Expand Certificates – Services (Active Directory Domain Services) and then click NTDS\Personal.
22. Right-click NTDS\Personal, click All Tasks, and then click Import.
23. On the Certificate Import Wizard welcome screen, click Next.
24. On the File to Import screen, click the Browse, and then locate the certificate file that you exported previously.
25. On the Open screen, ensure that Personal Information Exchange (*pfx,*.p12) is selected as the file type and then navigate the file system to locate the certificate you exported previously and then click that certificate.
26. Click Open and then click Next.
27. On the Password screen enter the password you set for the file and then click Next.
28. On the Certificate Store page, ensure that Place all certificates in the following store is selected and reads Certificate store: NTDS\Personal and then click Next.
29. On the Certificate Import Wizard completion screen, click Finish. You should then see a message that the import was successful. Click OK.
30. In the Navigation pane, under NTDS\Personal, click Certificates.
31. In the details pane, right-click the certificate you imported and then click Open.
32. Click Details and then click Enhanced Key Usage, you should see that Server Authentication (220.127.116.11.18.104.22.168.1) is one of the purposes of the certificate and then click OK.
VERIFYING AN LDAPS CONNECTION
- After a certificate is installed, follow these steps to verify that LDAPS is enabled:
1. Start the Active Directory Administration Tool (Ldp.exe)
2. On the Connection menu, click Connect.
3. Type the name of the LDAP server (e.g. domain controller or AD LDS/ADAM server) to which you want to connect.
4. Type 636 as the port number.
5. Click OK.
Last updated: August 21, 2017