[Webinar] Streamline your web hosting managementRegister Today

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 235
  • Last Modified:

Configure LDAP over SSL Windows Server 2008 R2

Hey,

I have an Active Directory role running on windows server 2008 R2 accepting client connections over port 389.
I wish to enable SSL for this AD role by generating a certificate signed by CA and then passed to clients wishing to initiate authentication requests with my LDAP over port 636, other clients may still connect over non-SSL port.

Can you share detailed steps to accomplish this setup. (generate the certificate request, get it signed by CA then test ldp over port 636 ...)

Thanks in advance
0
Hani_SA
Asked:
Hani_SA
  • 5
  • 2
4 Solutions
 
XcelogiXCommented:
Typically for this scenario Active Directory Certificate Services is used since it simplifies the procedure. The DCs will enroll and renew the certificates automatically, and you can also configure Windows clients to enroll certs from this as well.  Often people just set this up as a flat-level CA, but if you already have an internal CA you want to use, you can set up ADCS as a subordinate CA with an appropriate cert from your existing CA.

If that's not what you're looking to do, you can generate a certificate request in MMC. This page shows you how to get there, but there will be some differences for you:
https://technet.microsoft.com/en-us/library/aa995864(v=exchg.65).aspx

You'll need to run MMC first, then add the Certificates snap-in so you can select "Computer" store. Then, under Personal --> Certificates, you'll need to use the "Create Custom Request" function so that you can specify the information you need included in the cert (fqdn of the system, identifying information, etc.) Once the request is signed, you'll need to go back to the MMC console and import the signed cert. Once a valid server identification cert is present, you should be able to make connections right away.
0
 
LearnctxEngineerCommented:
Microsoft have some great articles on doing this. There are specific templates which Microsoft created for Domain Controllers to use; though technically you can use a standard web server cert as well.

Templates
Domain Controller (Server 2000)
Domain Controller Authentication (Server 2003)
Kerberos Authentication (Server 2008+)

I recommend using Kerberos Authentication though.

This article is pretty long and huge, but informative. I think its a bit over the top really :)
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

A simpler article on enabling LDAPS (note the updated guidance for server 2008+ where it suggests putting the cert in the NTDS service store instead of the computer store; either is valid).
https://support.microsoft.com/en-us/kb/321051

A great article from Russell Tomkins on setting up your SSL cert for auto renewal so that it does not lapse if you forget. I highly recommend doing this especially if you're going to use a custom SAN address for your LDAP targeting (like ldap.your.domain).
https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/
0
 
Hani_SAAuthor Commented:
Dear XcelogiX,

I already have a CA installed on another server different than the server where ADDS role installed, so how can I get the generate the certificate request and submit it to our CA for signing ???

Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??
0
Problems using Powershell and Active Directory?

Managing Active Directory does not always have to be complicated.  If you are spending more time trying instead of doing, then it's time to look at something else. For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why

 
XcelogiXCommented:
If it is not a Microsoft AD-integrated CA, then you will need to use the Custom Certificate Request function as described here:

https://technet.microsoft.com/en-us/library/cc730929(v=ws.11).aspx

When you add the Certificates snap-in to MMC, choose "Local Computer," then follow the process above. Either the CNG or Legacy key should work since it will be used just for LDAPS with Windows. When you get to Step 8, you'll need to look closely for the option to add additional information. Once you've made it through the wizard, you should have a request file that you can take to the CA.
0
 
LearnctxEngineerCommented:
Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??

Yes, AD will still listen on port 389 as well as GC ports 3268 (LDAP) and 3269 (LDAPS once a cert is applied). Adding a certificate to a DC is seamless.

All of the links posted above will show you how to submit a certificate request. By far the easiest is to create a CSR and use certutil. Its fast and easy and should take about 2 minutes to complete.

https://support.microsoft.com/en-us/kb/321051

I take it you have some experience using the MS CA web interface and submitting a CSR?
0
 
LearnctxEngineerCommented:
Hani_SA, how is your LDAPS setup going? Made any progress?
0
 
LearnctxEngineerCommented:
What do you mean there is not enough information to confirm an answer?
0
 
LearnctxEngineerCommented:
I believe I have answered the question comprehensively. I have provided in reply http://#a41728630:

- A full guide on how to setup LDAPS on a DC from the Microsoft Wiki.
- A secondary method via the Microsoft KB
- An article for information purposes from one of Microsoft's PKI experts.

I don't see how the answer could be any more comprehensive without going as far as to copy and paste the articles into the reply. So I believe my reply has answered the question.
0

Featured Post

Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

  • 5
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now