2

I have a Windows 2008 Server (Base2) machine.

In Server Manager > Roles, i can see:
1. Active Directory Domain Services
2. DNS Server
3. Active Directory Certificate Services.

Under Active Directory Certificate Services > mydomain > Issued Certificates , i see a certificate listed. If i 'open' this Certificate its purpose is listed as 'Private Key Archival'

I want to get my Active Directory working in SSL (port 636).

When i use ldp.exe (a ldap client), to connect to port 636 with SSL checkbox enabled, i get an error ('Cannot Open Connection'), this works fine for default 389 port.

I am new to Windows Server Administration/Certificates.
What else do i need to setup?

Jasper
  • 287
  • 2
  • 3
  • 11

1 Answers1

1

You are looking to get your DCs to support BIND via LDAPS. To do this, you will need to add a certificate to your domain controllers' Personal Certificate Store that meets the following requirements. This certificate could either be from a locally housed Certificate Authority or a Third-Party Authority.

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate.
  • The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places: The Common Name (CN) in the Subject field. DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.

The above was taken from KB321051: How to enable LDAP over SSL with a third-party certification authority.

Additional information on how to setup a local CA for using LDAPS can be found at the following article: LDAP over SSL (LDAPS) Certificate

Once your DCs have the proper certificate installed, LDAPS communication should automatically be enabled. You can verify this with ldp.exe as you were attempting to do.

HostBits
  • 11,776
  • 1
  • 24
  • 39
  • 1
    I know this is resurrecting a long-dead question, but can you explain how one would go about using "the Schannel cryptographic service provider" to generate a private key? – ryansin Sep 05 '18 at 11:29