How to Enable LDAPS in Active Directory

By default, Windows Active Directory servers are unsecured. All LDAP messages are unencrypted and sent in clear text. This restricts what developers can and can't do via LDAP. For example, password modification operations must be performed over a secure channel, such as SSL, TLS or Kerberos.

To enable LDAP over SSL (LDAPS) all you need to do is "install" an SSL certificate on the Active Directory server. Most enterprises will opt to purchase an SSL certificate from a 3rd Party like Verisign. In my case, I created my own certificate using OpenSSL. Here are the steps I used to secure my Active Directory server using a self signed certificate.

Pre-Requisites

OK< before we begin, here are a couple things you need. First of all you will need administrative access to the Active Directory server (i.e. Domain Controller). You obviously need the domain name and the fully qualified name (FQDN) of the Active Directory server. In this tutorial we use the following:
  • Domain Name: acme.com
  • Domain Controller: dc1.acme.com
Finally, in order to create a Certificate Authority (CA) and sign certificates you need a tool like OpenSSL. This tutorial assumes you are using OpenSSL.

Step 1: Create a Certificate Authority (CA)

If you are creating your own certificate, you need to first create a Certificate Authority (CA). Fortunately, tools like OpenSSL makes this easy.

Creating a CA certificate with OpenSSL is a 2 step process. First, you must create a keystore which is used to store your password.

openssl genrsa -des3 -out ca.key 4096
Next, you will generate a CA certificate. In this example, we will create a CA Certificate that is valid for 10 years:

openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
When generating the CA certificate, OpenSSL will prompt you for several key pieces of information. Note that the "Common Name" is our domain name:
Country Name (2 letter code) [AU]:US
State or Province Name (full name) [Some-State]:New York
Locality Name (eg, city) []:New York
Organization Name (eg, company) [Internet Widgits Pty Ltd]:ACME
Organizational Unit Name (eg, section) []:IT
Common Name (e.g. server FQDN or YOUR name) []:acme.com
Email Address []:info@acme.com

Step 2: Install the Certificate Authority (CA)

To install the certificate authority (CA) on the domain controller, open the "Certificates snap-in":
      1. Start->Run...-> Type "mmc". This will open the "Add/Remove Snap-in" dialog.
      2. Click "Add..." to open the "Add Standalone Snap-in" dialog.
      3. In the "Add Standalone Snap-in" dialog, select "Certificates" and press "Next".
      4. Select "Computer account" and press "Next".
      5. Select "Local computer" and press "Finish"
      6. Click "Close" to close the "Add Standalone Snap-in" dialog.
      7. Click "OK" to close the "Add/Remove Snap-in" dialog.
Once the "Certificates snap-in" is open, expand the "Certificates" node under "Trusted Root Certification Authorities". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the Certificate Authority ("ca.crt") we created in Step 1. Trusted Root Certification Authorities

Step 3: Create a Certificate Signing Request (CSR)

Next, we have to create a Certificate Signing Request (CSR). There are a number of different tools out there, including OpenSSL that you can use. However, the preferred approach is to use Microsoft's certreq utility.

The certreq utility is a command line application that takes a *.inf file and generates a CSR. Here's an example of an inf file that I used. Pay close attention to the "Subject" line. It should contain the FQDN of the Active Directory server.

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$"

[NewRequest]

Subject = "CN=dc1.acme.com,OU=IT,DC=dc1,DC=acme,DC=com,O=ACME,L=New York,S=New York,C=US"
;
KeySpec = 1
KeyLength = 1024
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

Once you have a inf file, generate a Certificate Signing Request (CSR) using certreq. In this example, "acme.csr" is the CSR.

certreq -new request.inf acme.csr

Step 4: Sign the Certificate

After generating the Certificate Signing Request (CSR), you are ready to create a certificate. If you are purchasing an SSL certificate, send the CSR to your vendor (e.g. Verisign) and they will generate and sign the certificate for you. If you have already purchased an SSL certificate, you can skip this step.

To sign your own certificate using OpenSSL, simply enter the following:

openssl x509 -req -days 3650 -in acme.csr -CA ca.crt -CAkey ca.key -set_serial 01 -out acme.crt

Step 5: Accept the Certificate

After you get your signed certificate, you will need to "Accept" it using the certreq utility:

certreq -accept acme.crt

Step 6: Install the Certificate

In Step 2, we opened the "Certificates snap-in". Assuming it is still open, expand the "Certificates" node under "Personal". Right-click on the "Certificates" node, select "All Tasks" -> "Import...", and import the "acme.crt". Trusted Root Certification Authorities

Step 7: Restart Active Directory

After installing the certificate, you must restart the domain controller. You can use Microsoft's Ldp GUI tool to test the LDAPS connection. The default port is 389 and the SSL port is 636.

References