Solved

Configure LDAP over SSL Windows Server 2008 R2

Posted on 2016-07-25
13
125 Views
Last Modified: 2016-10-09
Hey,

I have an Active Directory role running on windows server 2008 R2 accepting client connections over port 389.
I wish to enable SSL for this AD role by generating a certificate signed by CA and then passed to clients wishing to initiate authentication requests with my LDAP over port 636, other clients may still connect over non-SSL port.

Can you share detailed steps to accomplish this setup. (generate the certificate request, get it signed by CA then test ldp over port 636 ...)

Thanks in advance
0
Comment
Question by:Hani_SA
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
13 Comments
 
LVL 1

Accepted Solution

by:
XcelogiX earned 250 total points
ID: 41728495
Typically for this scenario Active Directory Certificate Services is used since it simplifies the procedure. The DCs will enroll and renew the certificates automatically, and you can also configure Windows clients to enroll certs from this as well.  Often people just set this up as a flat-level CA, but if you already have an internal CA you want to use, you can set up ADCS as a subordinate CA with an appropriate cert from your existing CA.

If that's not what you're looking to do, you can generate a certificate request in MMC. This page shows you how to get there, but there will be some differences for you:
https://technet.microsoft.com/en-us/library/aa995864(v=exchg.65).aspx

You'll need to run MMC first, then add the Certificates snap-in so you can select "Computer" store. Then, under Personal --> Certificates, you'll need to use the "Create Custom Request" function so that you can specify the information you need included in the cert (fqdn of the system, identifying information, etc.) Once the request is signed, you'll need to go back to the MMC console and import the signed cert. Once a valid server identification cert is present, you should be able to make connections right away.
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41728630
Microsoft have some great articles on doing this. There are specific templates which Microsoft created for Domain Controllers to use; though technically you can use a standard web server cert as well.

Templates
Domain Controller (Server 2000)
Domain Controller Authentication (Server 2003)
Kerberos Authentication (Server 2008+)

I recommend using Kerberos Authentication though.

This article is pretty long and huge, but informative. I think its a bit over the top really :)
http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

A simpler article on enabling LDAPS (note the updated guidance for server 2008+ where it suggests putting the cert in the NTDS service store instead of the computer store; either is valid).
https://support.microsoft.com/en-us/kb/321051

A great article from Russell Tomkins on setting up your SSL cert for auto renewal so that it does not lapse if you forget. I highly recommend doing this especially if you're going to use a custom SAN address for your LDAP targeting (like ldap.your.domain).
https://blogs.technet.microsoft.com/russellt/2016/06/03/custom-ldap-certs/
0
 

Author Comment

by:Hani_SA
ID: 41728992
Dear XcelogiX,

I already have a CA installed on another server different than the server where ADDS role installed, so how can I get the generate the certificate request and submit it to our CA for signing ???

Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??
0
Ransomware: The New Cyber Threat & How to Stop It

This infographic explains ransomware, type of malware that blocks access to your files or your systems and holds them hostage until a ransom is paid. It also examines the different types of ransomware and explains what you can do to thwart this sinister online threat.  

 
LVL 1

Assisted Solution

by:XcelogiX
XcelogiX earned 250 total points
ID: 41729948
If it is not a Microsoft AD-integrated CA, then you will need to use the Custom Certificate Request function as described here:

https://technet.microsoft.com/en-us/library/cc730929(v=ws.11).aspx

When you add the Certificates snap-in to MMC, choose "Local Computer," then follow the process above. Either the CNG or Legacy key should work since it will be used just for LDAPS with Windows. When you get to Step 8, you'll need to look closely for the option to add additional information. Once you've made it through the wizard, you should have a request file that you can take to the CA.
0
 
LVL 17

Assisted Solution

by:Learnctx
Learnctx earned 250 total points
ID: 41730404
Once LDAPS is configured will AD Server still be able to process authentication request from clients configured over non-ssl port:389 ??

Yes, AD will still listen on port 389 as well as GC ports 3268 (LDAP) and 3269 (LDAPS once a cert is applied). Adding a certificate to a DC is seamless.

All of the links posted above will show you how to submit a certificate request. By far the easiest is to create a CSR and use certutil. Its fast and easy and should take about 2 minutes to complete.

https://support.microsoft.com/en-us/kb/321051

I take it you have some experience using the MS CA web interface and submitting a CSR?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41736808
Hani_SA, how is your LDAPS setup going? Made any progress?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41784356
What do you mean there is not enough information to confirm an answer?
0
 
LVL 17

Expert Comment

by:Learnctx
ID: 41795182
I believe I have answered the question comprehensively. I have provided in reply http://#a41728630:

- A full guide on how to setup LDAPS on a DC from the Microsoft Wiki.
- A secondary method via the Microsoft KB
- An article for information purposes from one of Microsoft's PKI experts.

I don't see how the answer could be any more comprehensive without going as far as to copy and paste the articles into the reply. So I believe my reply has answered the question.
0

Featured Post

IoT Devices - Fast, Cheap or Secure…Pick Two

The IoT market is growing at a rapid pace and manufacturers are under pressure to quickly provide new products. Can you be sure that your devices do what they're supposed to do, while still being secure?

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article demonstrates probably the easiest way to configure domain-wide tier isolation within Active Directory. If you do not know tier isolation read https://technet.microsoft.com/en-us/windows-server-docs/security/securing-privileged-access/s…
Group policies can be applied selectively to specific devices with the help of groups. Utilising this, it is possible to phase-in group policies, over a period of time, by randomly adding non-members user or computers at a set interval, to a group f…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …
Suggested Courses

623 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question