Setting up secure LDAP connection for Exchange

A vendor that does auto off-site archiving for emails wants a LDAP connection for their server. I want to make this as secure as possible.

I am running Exchange 2003 on Win Server 2003 behind a Sonicwall TZ 190 firewall. What is the best way to set this up?
Bob StoneIT GuruAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

You need a certificate to configure secured ldap.  below is the steps from Microsoft.  Use this steps to configured encypted connection to their remote ldap server
 "To enable LDAPS, you must install a certificate that meets the following requirements:

    * The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
    * A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
    * The Enhanced Key Usage extension includes the Server Authentication ( object identifier (also known as OID).
    * The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
          o The Common Name (CN) in the Subject field.
          o DNS entry in the Subject Alternative Name extension.
    * The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
    * You must use the Schannel cryptographic service provider (CSP) to generate the key.

For more information about establishing trust for certificates, see the "Policies to establish trust of root certification authorities" topic in Windows 2000 Server Help.

Creating the certificate request
Any utility or application that creates a valid PKCS #10 request can be used to form the SSL certificate request. Use Certreq to form the request.

Note The commands that are used in this article rely on the 2003 version of Certreq. In order to use the steps in this article on a Windows 2000 server, copy certreq.exe and certcli.dll from a Windows 2003 server into a temporary directory on the Windows 2000 server.

Certreq.exe requires a text instruction file to generate an appropriate X.509 certificate request for a domain controller. You can create this file by using your preferred ASCII text editor. Save the file as an .inf file to any folder on your hard drive.

To request a Server Authentication certificate that is suitable for LDAPS, follow these steps:

   1. Create the .inf file. Following is an example .inf file that can be used to create the certificate request.
      ;----------------- request.inf -----------------


      Signature="$Windows NT$


      Subject = "CN=<DC fqdn>" ; replace with the FQDN of the DC
      KeySpec = 1
      KeyLength = 1024
      ; Can be 1024, 2048, 4096, 8192, or 16384.
      ; Larger key sizes are more secure, but have
      ; a greater impact on performance.
      Exportable = TRUE
      MachineKeySet = TRUE
      SMIME = False
      PrivateKeyArchive = FALSE
      UserProtected = FALSE
      UseExistingKeySet = FALSE
      ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
      ProviderType = 12
      RequestType = PKCS10
      KeyUsage = 0xa0


      OID= ; this is for Server Authentication

      Cut and paste the sample file into a new text file named Request.inf. Provide the fully qualified DNS name of the domain controller in the request.

      Note Some third-party certification authorities may require additional information in the Subject parameter. Such information includes an e-mail address (E), organizational unit (OU), organization (O), locality or city (L), state or province (S), and country or region (C). You can append this information to the Subject name (CN) in the Request.inf file. For example: Subject=", CN=<DC fqdn>, OU=Servers, O=Contoso, L=Redmond, S=Washington, C=US."
   2. Create the request file. To do this, type the following command at the command prompt, and then press ENTER:
      certreq -new request.inf request.req
      A new file called Request.req is created. This is the base64-encoded request file.
   3. Submit the request to a CA. You can submit the request to a Microsoft CA or to a third-party CA.
   4. Retrieve the certificate that is issued, and then save the certificate as Certnew.cer in the same folder as the request file. To do this, follow these steps:
         1. Create a new file called Certnew.cer.
         2. Open the file in Notepad, paste the encoded certificate into the file, and then save the file.
      Note The saved certificate must be encoded as base64. Some third-party CAs return the issued certificate to the requestor as base64-encoded text in an e-mail message.
   5. Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:
      certreq -accept certnew.cer
   6. Verify that the certificate is installed in the computer's Personal store. To do this, follow these steps:
         1. Start Microsoft Management Console (MMC).
         2. Add the Certificates snap-in that manages certificates on the local computer.
         3. Expand Certificates (Local Computer), expand Personal, and then expand Certificates.
      A new certificate should exist in the Personal store. In the Certificate Properties dialog box, the intended purpose displayed is Server Authentication. This certificate is issued to the computer's fully qualified host name.
   7. Restart the domain controller.

For more information about creating the certificate request, see the following Advanced Certificate Enrollment and Management white paper. To view this white paper, visit the following Microsoft Web site: (
Back to the top
Verifying an LDAPS connection
After a certificate is installed, follow these steps to verify that LDAPS is enabled:

   1. Start the Active Directory Administration Tool (Ldp.exe).

      Note This program is installed in the Windows 2000 Support Tools.
   2. On the Connection menu, click Connect.
   3. Type the name of the domain controller to which you want to connect.
   4. Type 636 as the port number.
   5. Click OK.

      RootDSE information should print in the right pane, indicating a successful connection."
Bob StoneIT GuruAuthor Commented:
I already have an SSL cert installed on machine for RPC/HTTPS, will that work?
Both ldap server (AD) and the ldapclient are installed with proper certificate, connecting to port 636 would result secure ldap over SSL.  No further configuration needed.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
might need to reboot the ldap server (AD) in case everything was done correctly but somehow the AD just does not accept SSL connection.  I have actually seen that before
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.