Solved

Configure LDAP over SSL Windows Server 2008 R2

Posted on 2016-07-25
13
43 Views
Last Modified: 2016-10-09
Hey,

I have an Active Directory role running on windows server 2008 R2 accepting client connections over port 389.
I wish to enable SSL for this AD role by generating a certificate signed by CA and then passed to clients wishing to initiate authentication requests with my LDAP over port 636, other clients may still connect over non-SSL port.

Can you share detailed steps to accomplish this setup. (generate the certificate request, get it signed by CA then test ldp over port 636 ...)

Thanks in advance
0
Comment
Question by:Hani_SA
  • 5
  • 2
13 Comments
 
LVL 1

Accepted Solution

by:
XcelogiX earned 250 total points
ID: 41728495
Typically for this scenario Active Directory Certificate Services is used since it simplifies the procedure. The DCs will enroll and renew the certificates automatically, and you can also configure Windows clients to enroll certs from this as well.  Often people just set this up as a flat-level CA, but if you already have an internal CA you want to use, you can set up ADCS as a subordinate CA with an appropriate cert from your existing CA.

If that's not what you're looking to do, you can generate a certificate request in MMC. This page shows you how to get there, but there will be some differences for you:
https://technet.microsoft.com/en-us/library/aa995864(v=exchg.65).aspx

You'll need to run MMC first, then add the Certificates snap-in so you can select "Computer" store. Then, under Personal --> Certificates, you'll need to use the "Create Custom Request" function so that you can specify the information you need included in the cert (fqdn of the system, identifying information, etc.) Once the request is signed, you'll need to go back to the MMC console and import the signed cert. Once a valid server identification cert is present, you should be able to make connections right away.
0
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41728630
Microsoft have some great articles on doing this. There are specific templates which Microsoft created for Domain Controllers to use; though technically you can use a standard web server cert as well.

Templates
Domain Controller (Server 2000)
Domain Controller Authentication (Server 2003)
Kerberos Authentication (Server 2008+)

I recommend using Kerberos Authentication though.

This article is pretty long and huge, but informative. I think its a bit over the top really :)
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

A simpler article on enabling LDAPS (note the updated guidance for server 2008+ where it suggests putting the cert in the NTDS service store instead of the computer store; either is valid).
https://support.microsoft.com/en-us/kb/321051

A great article from Russell Tomkins on setting up your SSL cert for auto renewal so that it does not lapse if you forget. I highly recommend doing this especially if you're going to use a custom SAN address for your LDAP targeting (like ldap.your.domain).
https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/
0
 

Author Comment

by:Hani_SA
ID: 41728992
Dear XcelogiX,

I already have a CA installed on another server different than the server where ADDS role installed, so how can I get the generate the certificate request and submit it to our CA for signing ???

Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??
0
 
LVL 1

Assisted Solution

by:XcelogiX
XcelogiX earned 250 total points
ID: 41729948
If it is not a Microsoft AD-integrated CA, then you will need to use the Custom Certificate Request function as described here:

https://technet.microsoft.com/en-us/library/cc730929(v=ws.11).aspx

When you add the Certificates snap-in to MMC, choose "Local Computer," then follow the process above. Either the CNG or Legacy key should work since it will be used just for LDAPS with Windows. When you get to Step 8, you'll need to look closely for the option to add additional information. Once you've made it through the wizard, you should have a request file that you can take to the CA.
0
 
LVL 16

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41730404
Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??

Yes, AD will still listen on port 389 as well as GC ports 3268 (LDAP) and 3269 (LDAPS once a cert is applied). Adding a certificate to a DC is seamless.

All of the links posted above will show you how to submit a certificate request. By far the easiest is to create a CSR and use certutil. Its fast and easy and should take about 2 minutes to complete.

https://support.microsoft.com/en-us/kb/321051

I take it you have some experience using the MS CA web interface and submitting a CSR?
0
 
LVL 16

Expert Comment

by:Learnctx
ID: 41736808
Hani_SA, how is your LDAPS setup going? Made any progress?
0
 
LVL 16

Expert Comment

by:Learnctx
ID: 41784356
What do you mean there is not enough information to confirm an answer?
0
 
LVL 16

Expert Comment

by:Learnctx
ID: 41795182
I believe I have answered the question comprehensively. I have provided in reply http://#a41728630:

- A full guide on how to setup LDAPS on a DC from the Microsoft Wiki.
- A secondary method via the Microsoft KB
- An article for information purposes from one of Microsoft's PKI experts.

I don't see how the answer could be any more comprehensive without going as far as to copy and paste the articles into the reply. So I believe my reply has answered the question.
0

Join & Write a Comment

SSL stands for “Secure Sockets Layer” and an SSL certificate is a critical component to keeping your website safe, secured, and compliant. Any ecommerce website must have an SSL certificate to ensure the safe handling of sensitive information like…
Find out how to use Active Directory data for email signature management in Microsoft Exchange and Office 365.
This tutorial will give a short introduction and overview of Backup Exec 2012 and how to navigate and perform basic functions. Click on the Backup Exec button in the upper left corner. From here, are global settings for the application such as conne…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now