We help IT Professionals succeed at work.

LDAPS with Windows 2008 R2

zyberion asked
Dear All,

We have been asked to configure LDAPS over TLS/SSL
Unfortunately, we have never done this before and we are looking for guide to help dummies like us :)

We have set up a new domain : demo.lab
The domain controller, DC1, is running Windows 2008 R2.
DC1 has the following roles: AD DS, DNS, File Server, Web Server

Could you tell me what are the steps to configure LDAPS over SSL/TLS on Windows 2008 R2?
Is there any LDAPS with 2008 r2 for dummies?

Some article says we have to set up a server with Active Directory Certificate Services role.
Can we add this role to the current domain controller?

Kind Regards,
Watch Question

It depends.

By default Active Directory DCs have LDAPS enabled with no configuration required.

However, your LDAP client may not trust the LDAPS certificate that is presented from your DC.

You should be able to connect to any DC with proper credentials to port 636 using LDAPS. Depending on your client it may refuse or prompt you for to accept the certificate that would be presented by the DC.

Often the hard part of connecting to AD using LDAP is determining the FDN of the user to login with. See here on how to find it:



Thanks for your answer

I have tried to connect to LDAP over SSL through port 636 using ldp.exe tool. It didni't work.
It works if I connect to LDAP on port 389.

In the Event Viewer, I found the following error message:
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.

It seems the LDAP is not configured to accept SSL as there is no certificate available..

As I never configured certificates stuff on Windows, I don't know how to do it.
Can I create a self-signed certificate for LDAPS? How can I do it?
Can I configure a standalone CA on my DC? How?

Thanks for your help

Kind Regards,
I've seen this error previously with ADAM. For AD, that seems weird since it should have read access to any key (or file) on the system. It may be that the key for the cert got removed though.

Try this link:



Thanks following your recommendation

It worked like a charm :)