Setup AD to respond to LDAP queries over LDAPS protocol

From Notes_Wiki

Home > Windows > Windows Server 2008 Enterprise R2 > Setup AD to respond to LDAP queries over LDAPS protocol

Create self-signed certificate authority for AD certificate

To create a self-signed certificate for AD use following steps:

  1. Go to Start Menu -> Administrative Tools -> Server manager
  2. From Server Manager Roles node choose "Add Roles" link from the right side pane.
  3. On "Before You Begin" click next
  4. Select "Active Directory Certification Service" and click next
  5. On "Introduction to Active Directory Certificate Services" click next
  6. Leave "Certificate authority" selected and click "next"
  7. In Setup Type leave "Enterprise" selected and click "next"
  8. In CA type leave "Root CA" selected and click next
  9. Leave "Create a new private key" selected and click next
  10. Leave defaults as it is on "Configure Cryptography for CA" and click next
  11. Choose appropriate CN and DN for server
  12. Choose appropriate validity period and click next
  13. In "Configure certificate database" leave values as it is and click next
  14. On "Confirmation" window click "Install"
  15. Close window of "Successful installation message


Create a new certificate template, create AD certificate, import certificate in AD

To create a new certificate template for AD, then to create AD certificate and to finally import created certificate in AD use following steps:

  1. Run "certsrv.msc" from start menu run option
  2. Expand "CA" tree-node and click on "Certificate Template" node
  3. Right click on "Certificate Template" and choose manage
  4. Right click on "Kerebros authentication" and choose "Duplicate template"
    1. Choose "Windows Server 2008 enterprise" from pop-up and click ok
    2. In General Change template display name to "AD certificate"
    3. Set validity period to something large (eg 5 years)
    4. In "Subject Name" tab ensure that DNS name, User principal name (UPN) and service principal name (SPN) are selected
    5. In "Request handling" select allow private key to be exported. This is very important.
    6. Click "Apply" and then click "ok"
  5. Close certificate templates console to return to "certsrv.msc" window
  6. Again right click on "Certificate Template" node. This time choose "New" -> "Certificate template to issue"
    1. Select "AD certificate" and click ok
  7. Close "certsrv.msc" window
  8. Start "mmc" console from start-menu using run command option
  9. In MMC go to "File" -> "Add/Remove" Snap-in
    1. Click on "Certificates" in left panel and click "Add" button between two panes
      1. Select "computer account" radio button among various choices and click next
      2. In next window leave "Local computer" selected and click finish
    2. Click ok to close "Add/Remove snap-in" popup
  10. Go to "Certificates (Local Computer)" -> Personal -> Certificates
  11. Right click on right pane and from All tasks choose "Request new certificate"
  12. Leave "Active Directory Enrollment policy" selected and click next
  13. Select "AD certificate" and click "Enrol"
  14. Click finish on successful message
  15. Select created certificate with Intended Purpose starting with "KDC authentication" and "Certificate type" AD certificate
  16. Right click -> "All tasks" -> "Export"
    1. Click "Next" on Certificate export wizard first screen
    2. Toggle radio button and choose "Yes, export the private key" option
    3. In "PKCS-12" select "Export all extended properties" and click "next"
    4. Choose appropriate password and click next. Remember this well. This password would be needed for importing certificate in next few steps.
    5. Export certificate to desktop with name ad.pfx
    6. Click "finish" to complete certificate export wizard
  17. Click "Ok" on export was successful message
  18. From "mmc" console again go to "File" -> "Add / Remove Snap-in" option
    1. Select "Certificates" and click "Add" between panes
    2. This time instead of "Computer Account" choose "Service Account" and click next
    3. Choose "Local computer" radio button on screen and click next
    4. Select "Active Directory Certificate Services" and click finish
    5. Click "ok" to close snap-in manager.
  19. Go to "Active
  20. Go to "Certificates - Service (Active Directory Ceriticate Services)" -> CertSvc\Personal
  21. Right click on right pane and from all tasks choose "import"
  22. Click "next" on "Certificate import wizard"
  23. Go to desktop for selecting certificate. Change file type to all files "*.*" and select ad.pfx file
  24. Click "next" on select file window
  25. Type correct password that was used while exporting certificate and click next. Leave include all extended properties selected.
  26. In place all certificates in the following store leave Certsvc\personal selected and click next
  27. Click finish to complete import wizard
  28. Click ok on successful import message
  29. The AD should automatically start listening on LDAPS using new certificate

Most of this learned from http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx


Test connection to AD over LDAPS from Linux

To test connection to AD over LDAPS from Linux use:

  1. Edit /etc/openldap/ldap.conf and add "TLS_REQCERT never" line in the file
  2. Try something similar to:
ldapsearch -x -H ldaps://<AD-IP>/ -b '<Base-DN>' -D 'administrator@<Domain-name>' -W

and type administrator password to connect. Example command with filled values is: 

ldapsearch -x -H ldaps://192.168.2.15/ -b 'dc=example1,dc=com' -D 'administrator@example1.com' -W

In place of "-W" one can also use "-w'<password>'" where there is no gap between -w and password. Also complex password can be enclosed in single quotes as suggested.



Home > Windows > Windows Server 2008 Enterprise R2 > Setup AD to respond to LDAP queries over LDAPS protocol

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Setup_AD_to_respond_to_LDAP_queries_over_LDAPS_protocol&oldid=5684"