, , , ,

How to Configure LDAPS intergration with Windows Active Directory Domain Services (AD DS)

Published by

Sam Swinson

on

Time to read:

5–7 minutes

In this post we are going to go over how to configure LDAPS (Lightweight Directory Access Protocol Secure) on a Windows DC (Domain Controller).

This post assumes that you already have an AD (Active Directory) domain configured and ready to go. Additionally, it assumes that you already have a Windows CA (Certificate Authority) configured.

  1. SECTION I – What is LDAPS?
  2. SECTION II – Configuration
    1. SECTION II – A – Create Certificate Template
      1. FIGURE 1 – Manage Certificate Templates
      2. FIGURE 2 – Certificate General Properties
      3. FIGURE 3 – Certificate Request Handling Properties
      4. FIGURE 4 – Certificate Subject Name Properties
    2. SECTION II – B – Generate LDAPS Certificate
      1. FIGURE 5 – Request Certificate
      2. FIGURE 6 – Certificate Enrollment Policy
      3. FIGURE 7 – Certificate Enrollment Template
      4. FIGURE 8 – Completed Certificate Enrollment
    3. SECTION II – C – Export Certificate
      1. FIGURE 9 – Listed Certificate
      2. FIGURE 10 – Export Certificate
      3. FIGURE 11 – Export Private Key
      4. FIGURE 12 – Certificate Extension
      5. FIGURE 13 – Certificate Password
      6. FIGURE 14 – Certificate Export Location
      7. FIGURE 15 – Completed Certificate Export
    4. SECTION II – D – Import Certificate Into AD DS
      1. FIGURE 16 – Add or Remove Snap-Ins
      2. FIGURE 17 – Manage Service Account Certificates
      3. FIGURE 18 – Local Computer
      4. FIGURE 19 – Manage Active Directory Domain Services Certificates
      5. FIGURE 20 – Certificate Snap-in
      6. FIGURE 21 – Import Certificate
      7. FIGURE 22 – Select Certificate
      8. FIGURE 23 – Certificate Encryption Password
      9. FIGURE 24 – Certificate Store
      10. FIGURE 25 – Successful Import
      11. FIGURE 26 – Verify Imported Certificate
  3. SECTION III – Testing
    1. FIGURE 27 – Powershell Install
    2. FIGURE 28 – LDP Application
    3. FIGURE 29 – LDP Connection
    4. FIGURE 30 – LDP Connection Parameters
    5. FIGURE 31 – LDP Connection Result

SECTION I – What is LDAPS?

LDAP (Lightweight Directory Access Protocol) is an industry standard application protocol that is used to authenticate users over an IP (Internet Protocol) based network. LDAP has no encryption or authentication that can lead to user credentials being sniffed and stolen when transitting the network.

LDAPS is the same as LDAP, but, packaged up differently. LDAPS adds the functionality of encryption to the protocol so now any data transmitted between the DC and the client is secure. LDAPS relies on TLS (Transport Layer Security) in order to encrypt the data transmitted between the client and server.

SECTION II – Configuration

Now that we know a little bit about what LDAP we can get how to configure it on our DC. The main task we need to complete for this to work is to apply a certificate assigned by a common CA to our AD service.

SECTION II – A – Create Certificate Template

Firstly, we need to create a template that we can use the issue the certificate from the CA:

  1. Connect to your CA and open up the ‘Certificate Authority’ application.
  2. Select the ‘Certificate Templates’ tab in the left hand pane and then right click and select ‘Manage’.
    3. FIGURE 1 – Manage Certificate Templates
  3. In the list of certificate templates locate the ‘Kerberos Authentication’ template. Right click on the template and click ‘Duplicate Template’.
  4. Under the general tab:
    • Give the certificate a useful name.
    • Tick the ‘Publish certificate in Active Directory’.
    5. FIGURE 2 – Certificate General Properties
  5. Under the ‘Request Handling’ tab tick the ‘Allow private key to be exported’ checkbox.
    6. FIGURE 3 – Certificate Request Handling Properties
  6. Under the ‘Subject Name’ tab make sure the ‘DNS name’ option is the only one ticked.
    7. FIGURE 4 – Certificate Subject Name Properties
  7. Under the ‘Security’ tab make sure that the DC OU (Organisational Unit) has the ‘enroll’ and ‘autoenroll’ tickboxes selected.
  8. Click ‘Ok’ on the template properties and exit out of the template manager.
  9. In the main pane of the ‘Certificate Templates’ folder right click and select ‘New > Certificate Template to Issue’.
  10. Select your newly create certificate template.
  11. You should now see that certificate template listed.

SECTION II – B – Generate LDAPS Certificate

Now that we have a correct template we can issue a certificate to our DC using that new template:

  1. On your DC open up ‘Manage Computer Certificates’.
  2. Under the ‘Personal\Certificates’ folder right click and select ‘All Tasks > Request New Certificate’.
    3. FIGURE 5 – Request Certificate
  3. Click ‘next’ on the begining page.
  4. Click ‘next’ on the ‘Certificate Enrollement Policy’.
    5. FIGURE 6 – Certificate Enrollment Policy
  5. From the list select the certificate template you created in Section II – A and then click ‘enroll’.
    6. FIGURE 7 – Certificate Enrollment Template
  6. Click ‘finish’ once the enrollment is completed.
    7. FIGURE 8 – Completed Certificate Enrollment

SECTION II – C – Export Certificate

Now that we have our certificate in the DC listed under our ‘Personal\Certificates’ folder we need to export it so we can then import it into AD:

  1. Select the certficate you just created. NOTE: you should see it says your newly created certifcate template under the ‘Certificate Template’ collumn.
    2. FIGURE 9 – Listed Certificate
  2. Right click on the certificate and select ‘All Tasks > Export’.
    3. FIGURE 10 – Export Certificate
  3. Click ‘next’ on the first page of the wizard.
  4. Select the ‘Yes, export the private key’ radio button.
    5. FIGURE 11 – Export Private Key
  5. Select the ‘Personal Information Exchange’ radio button.
    6. FIGURE 12 – Certificate Extension
  6. Tick the ‘Password’ check box and then give the certificate an easy to remember password. NOTE: I have selected ‘AES256-SHA256’ encryption because it make sense to use the most secure encryption available.
    7. FIGURE 13 – Certificate Password
  7. Choose a suitable location to export the certificate to.
    8. FIGURE 14 – Certificate Export Location
  8. Once you click ‘finish’ you should see a successfull export dialogue box.
    9. FIGURE 15 – Completed Certificate Export

SECTION II – D – Import Certificate Into AD DS

With our exported ‘.pfx’ certificate we can now import it into AD DS (Active Directory Domain Services):

  1. Right click on the Windows start icon and click ‘run’.
  2. Type ‘MMC’ and press enter.
  3. Click ‘File’ and then select ‘Add/Remove Snap-ins’.
    4. FIGURE 16 – Add or Remove Snap-Ins
  4. Double click on the ‘Certificates’ option to add it to the selected list.
  5. Select the ‘Service account’ radio button.
    6. FIGURE 17 – Manage Service Account Certificates
  6. Select the ‘Local computer’ radio button.
    7. FIGURE 18 – Local Computer
  7. Select the ‘Active Directory Domain Services’ account from the list.
    8. FIGURE 19 – Manage Active Directory Domain Services Certificates
  8. Click ‘Ok’ to open the snap-in.
    9. FIGURE 20 – Certificate Snap-in
  9. Select the ‘NTDS\Personal’ folder.
  10. Right click on the selected folder and select ‘All Tasks > Import’.
    11. FIGURE 21 – Import Certificate
  11. Click ‘next’ at the welcome page to the wizard.
  12. Browse to your exported certificate location.
    13. FIGURE 22 – Select Certificate
  13. Enter the encryption password you set for the certificate
    14. FIGURE 23 – Certificate Encryption Password
  14. Leave the ‘Certificate Store’ option as it.
    15. FIGURE 24 – Certificate Store
  15. Once finished you should get a successfull dialogue.
    16. FIGURE 25 – Successful Import
  16. Now you should see the ‘Certificates’ folder has been created and you should see the DC certificate as well as the CA certificate.
    17. FIGURE 26 – Verify Imported Certificate

SECTION III – Testing

Now that we have imported the certificate required for LDAPS we need to test that it is working as expected. To do that we need to:

  1. On your DC open a Powershell session as Administrator.
  2. Run the following command:

    3. Install-WindowsFeature RSAT-AD-Tools -IncludeAllSubFeature -IncludeManagementTools

    FIGURE 27 – Powershell Install
  3. In your main Windows search bar type in ‘ldp’.
    4. FIGURE 28 – LDP Application
  4. Within the LDP application click ‘Connection > Connect’.
    5. FIGURE 29 – LDP Connection
  5. Enter the following:
    • Server – DC FQDN (Fully Qualified Domain Name)
    • Port – 636
    • SSL – Ticked
    6. FIGURE 30 – LDP Connection Parameters
  6. Once you click ‘Ok’ you should see ‘Established connection to <FQDN>’.
    7. FIGURE 31 – LDP Connection Result

Leave a comment

Previous Post
Next Post