In this tutorial, I will explain how to configure the LDAPS protocol in an environment Active Directory with secure connections to domain controllers using an SSL connection.
In practice, as you will see in this tutorial, there is no configuration at the Active Directory level, but where there is SSL, there is a certificate, and that is what we will see in this tutorial, how to issue a certificate to the domain controllers in order to be able to respond to the LDAPS request on port 636.
To begin, you will need an enterprise certificate authority. AD CS.
It is possible to use self-signed certificates, but I find this option cumbersome to implement because the certificate then needs to be deployed and we do not have the ability to revoke them.
Table of Content
Configure the certificate template
The first step will be to configure a certificate template for the LDAPS connection; for this we will use the Kerberos Authentication certificate template, because it allows us to have in the DNS names, in addition to the name of the server making the request, the DNS name of the domain, which allows us to configure the LDAPS connection using the DNS name of the domain instead of the name of the domain controller.
Start by opening the Certification Authority Administration console, then go to the Certificate Templates folder 1.
Right-click on Certificate Templates and click on Manage 1.
Right-click on the Kerberos Authentication template and click on Duplicate template 1.
On the General tab, enter the model name 1.
On the Request Processing tab, check the box Allow export of private key 1 if you think you need to export the certificate with it.
On the Subject Name tab, verify that the selected option is Build from this Active Directory information 1 and that DNS Name 2 is checked.
Next, go to the Extensions tab, select Application Policy 1 and click the Edit 2 button.
Select KDC Authentication 1 and click Delete 2 and do the same with Smart Card Login.
With the strategies configured, click OK 1 to close the window.
Click on Apply 1 and OK 2 now to create the new template.
The LDAPS model is created.
Back on the Certification Authority management console, right-click on Certificate Templates, then go to New 1 and click on Certificate Template to Issue 2.
Select the LDAPS model 1 that we just created and then click OK 2 to add it.
The LDAPS model has been added to the certificates issued by the certification authority.
Request the certificate from a domain controller
Open the Certificate MMC console on the local computer (search from the Start menu) and go to the Personal / Certificates folder.
Right-click in the central area then go to All tasks 1 and click on Request a new certificate 2.
When launching the assistant, click on the Next button 1.
Select: Active Directory Registration Strategy 1 then click the Next button 2.
In the list of models, choose the LDAPS model 1 that we created and then click on Registration 2.
The certificate has been generated, close the wizard by clicking on Finish 1.
The certificate is added to the computer’s Personal store.
Test the LDAPS connection
To finish this tutorial, we’ll verify the LDAPS connection to our domain controller. From Windows, we’ll use ldp.exe. If you have another domain controller, connect to it; otherwise, install the administration tools available from Windows Server features.
Launch ldp.exe from a run window.
From the menu, click on Connection 1 then on Connect 2.
Enter the FQDN 1 of the domain controller, enter port 636 2, check the SSL box 3 then click the OK button 4.
We are connected to the domain controller via LDAPS.
You now know how to use an LDAPS connection within your Active Directory environment using an ADCS certificate authority.
It is possible to automatically generate the certificate using a group policy if necessary.
