LDAP over SSL with a CA server

  • MS AD 2008
  • Server 2008 CA server (Not a DC)

Notes:

  • This way won’t force a connection so it will allow both SSL & non-SSL connections. (Which is what I wanted)
  • Make sure to edit the template before pushing out to the domain controllers to edit how long the certificate is valid for.
  • Fails on RO DCs.

CA Server

  • Log onto the CA server and open up the server manager.  Under Roles > Active Directory Certificate Services > Certificate Templates, you should see a template named “Domain Controller Authentication”

  • Then expand the CA server > Certificate Templates, you should see that same template listed.  If it is then its enabled, if not then you would have to enable the Domain Controller Authentication Certificate template.
  • Under the CA server right-click on Certificate Templates > New > Certificate Template to Issue, select “Domain Controller Authentication” and click OK.

  • Thats it for the CA server!

Domain Controllers (Must do the following steps on every DC in your environment, Root is exceptional)

  • Log onto a domain controller and create an MMC with the “Certificates” on the “Computer account” snap-in.
  • Go to Certificates (Local Computer) > Personal > right-click Certficates > All Tasks > Request New Certificate…

  • Next screen, select “Active Directory Enrollment Policy”, then “Next”.

  • On the new prompt, click Next.  Select “Domain Controller” and “Domain Controller Authentication”, click “Enroll”

  • Once the status shows “Succeeded”, your set to test!!

Testing

  • Open “LDP” as an administrator
  • Connect to the Domain Controller you were just working on.  Connect to port “636” and only leave “SSL” checked.
    • If you get the error “Cannot Open Connection”, SSL has not been configured to work with LDAP and you need to go back to the drawing board.

  • Once connected, go to File > Bind, bind with a domain admin account.  Leave the rest of the settings on default and click OK.

  • If the output shows your domain and user account, congrats LDAP now has the option to work with SSL! (Do this whole test with every DC you set up)

 

Sources Used: http://technet.microsoft.com/en-us/library/ee411009(WS.10).aspx

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s