Go Premium for a chance to win a PS4. Enter to Win

x
?
Solved

Configure LDAP over SSL Windows Server 2008 R2

Posted on 2016-07-25
13
Medium Priority
?
179 Views
Last Modified: 2016-10-09
Hey,

I have an Active Directory role running on windows server 2008 R2 accepting client connections over port 389.
I wish to enable SSL for this AD role by generating a certificate signed by CA and then passed to clients wishing to initiate authentication requests with my LDAP over port 636, other clients may still connect over non-SSL port.

Can you share detailed steps to accomplish this setup. (generate the certificate request, get it signed by CA then test ldp over port 636 ...)

Thanks in advance
0
Comment
Question by:Hani_SA
  • 5
  • 2
8 Comments
 
LVL 1

Accepted Solution

by:
XcelogiX earned 1000 total points
ID: 41728495
Typically for this scenario Active Directory Certificate Services is used since it simplifies the procedure. The DCs will enroll and renew the certificates automatically, and you can also configure Windows clients to enroll certs from this as well.  Often people just set this up as a flat-level CA, but if you already have an internal CA you want to use, you can set up ADCS as a subordinate CA with an appropriate cert from your existing CA.

If that's not what you're looking to do, you can generate a certificate request in MMC. This page shows you how to get there, but there will be some differences for you:
https://technet.microsoft.com/en-us/library/aa995864(v=exchg.65).aspx

You'll need to run MMC first, then add the Certificates snap-in so you can select "Computer" store. Then, under Personal --> Certificates, you'll need to use the "Create Custom Request" function so that you can specify the information you need included in the cert (fqdn of the system, identifying information, etc.) Once the request is signed, you'll need to go back to the MMC console and import the signed cert. Once a valid server identification cert is present, you should be able to make connections right away.
0
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 1000 total points
ID: 41728630
Microsoft have some great articles on doing this. There are specific templates which Microsoft created for Domain Controllers to use; though technically you can use a standard web server cert as well.

Templates
Domain Controller (Server 2000)
Domain Controller Authentication (Server 2003)
Kerberos Authentication (Server 2008+)

I recommend using Kerberos Authentication though.

This article is pretty long and huge, but informative. I think its a bit over the top really :)
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

A simpler article on enabling LDAPS (note the updated guidance for server 2008+ where it suggests putting the cert in the NTDS service store instead of the computer store; either is valid).
https://support.microsoft.com/en-us/kb/321051

A great article from Russell Tomkins on setting up your SSL cert for auto renewal so that it does not lapse if you forget. I highly recommend doing this especially if you're going to use a custom SAN address for your LDAP targeting (like ldap.your.domain).
https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/
0
 

Author Comment

by:Hani_SA
ID: 41728992
Dear XcelogiX,

I already have a CA installed on another server different than the server where ADDS role installed, so how can I get the generate the certificate request and submit it to our CA for signing ???

Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??
0
Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

 
LVL 1

Assisted Solution

by:XcelogiX
XcelogiX earned 1000 total points
ID: 41729948
If it is not a Microsoft AD-integrated CA, then you will need to use the Custom Certificate Request function as described here:

https://technet.microsoft.com/en-us/library/cc730929(v=ws.11).aspx

When you add the Certificates snap-in to MMC, choose "Local Computer," then follow the process above. Either the CNG or Legacy key should work since it will be used just for LDAPS with Windows. When you get to Step 8, you'll need to look closely for the option to add additional information. Once you've made it through the wizard, you should have a request file that you can take to the CA.
0
 
LVL 18

Assisted Solution

by:Learnctx
Learnctx earned 1000 total points
ID: 41730404
Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??

Yes, AD will still listen on port 389 as well as GC ports 3268 (LDAP) and 3269 (LDAPS once a cert is applied). Adding a certificate to a DC is seamless.

All of the links posted above will show you how to submit a certificate request. By far the easiest is to create a CSR and use certutil. Its fast and easy and should take about 2 minutes to complete.

https://support.microsoft.com/en-us/kb/321051

I take it you have some experience using the MS CA web interface and submitting a CSR?
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 41736808
Hani_SA, how is your LDAPS setup going? Made any progress?
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 41784356
What do you mean there is not enough information to confirm an answer?
0
 
LVL 18

Expert Comment

by:Learnctx
ID: 41795182
I believe I have answered the question comprehensively. I have provided in reply http://#a41728630:

- A full guide on how to setup LDAPS on a DC from the Microsoft Wiki.
- A secondary method via the Microsoft KB
- An article for information purposes from one of Microsoft's PKI experts.

I don't see how the answer could be any more comprehensive without going as far as to copy and paste the articles into the reply. So I believe my reply has answered the question.
0

Featured Post

Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Compliance and data security require steps be taken to prevent unauthorized users from copying data.  Here's one method to prevent data theft via USB drives (and writable optical media).
A bad practice commonly found during an account life cycle is to set its password to an initial, insecure password. The Password Reset Tool was developed to make the password reset process easier and more secure.
This tutorial will walk an individual through locating and launching the BEUtility application to properly change the service account username and\or password in situation where it may be necessary or where the password has been inadvertently change…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

782 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question