Monday, November 19, 2012

Enabling LDAP SSL in Windows 2012 (Self-Signed Certificates)



As expected in the world of Microsoft Windows Server 2012 and Active Directory, the interface and methods of managing certain functions changed.  One thing in particular that I often have to do as a result of interfacing with AD through LDAP, is to enable a Certificate Authority role in the AD environment so that we can connect and manage objects through LDAP via SSL.

Although this is not any more complicated than in Windows Server 2008, it just appears differently due to managing everything through Server Administrator, the new built-in utility to manage all aspects of Windows Server 2012.  Fortunately, I took the time to capture screenshots and document the process of enabling a Certificate Authority on a DC, which I have outlined below.  Please note that in order for DCs to receive certificates, they will most likely need to be rebooted.



1.  Log on to the server that you intend to add the CA role to (in my case this was a DC).
2.  Launch the Server Administrator tool (if it did not launch automatically) to get to the dashboard.


3.  In server administrator, select ADD ROLES AND FEATURES from the MANAGE Menu.  You will get prompted with a dialog box to confirm that you want to add roles through the wizard.  Click NEXT.



4.    You will be prompted to select the installation type, choose ROLE BASED OR FEATURE BASED INSTALLATION.  Click Next.


 5.  You will be prompted to select the server to install the role on.  Select the server in the selection list and then click NEXT.




 6.  Select the ROLE that you want to install.  In this case, select CERTIFICATE SERVICES and click NEXT.


7.  You will see a dialog box prompting you for additional features.  Click NEXT.





8.  Next, you will receive a notification that after installing Certificate Services, the domain and server cannot be modified.  Click NEXT.




9.  You will be prompted to select the specific Role Services within the Certificate Services role that you want to enable.  Leave CERTIFICATION AUTHORITY checked and click NEXT.





10.  Next you will be asked about restarting the server if it is required after install.  Make your selection and click NEXT.




11.  After clicking NEXT, the installation of the role will begin.



12.  Once the installation has finished, a new role block will appear in the server administrator dashboard.  Click NEXT to continue.






13.  After completing PART 1, you will be returned to a completion screen showing that the Certificate Services role has been installed successfully.  Click on CONFIGURE ACTIVE DIRECTORY CERTIFICATE SERVICES ON DESTINATION SERVER.



14.  Verify that you are using the proper credentials to configure the Certificate Services orle, if not change to the proper account.  Click NEXT.



15.  Again, select the specific function of Certificate Services to configure.  Leave Certification Authority selected and click NEXT.



16.  Specify the Setup Type for the Certification Authority - choose ENTERPRISE CA and click NEXT.



17.  Next, specify the Type of CA.  Select ROOT CA and click NEXT.



18.  Next, specify the private key to be created.  Select NEW PRIVATE KEY and click NEXT.



19.  Next, leave the cryptography as it is and click NEXT.



20.  Next, specify the Certificate Name.  I recommend leaving it as default, as it names it based on the domain and server name that you are installing the CA on.  Click NEXT.





21.  Specify the Validity Period.  The default is 5 years, I recommend 25 years to ensure that you will not have to recertify for quite a while.


22.  Next you will need to specify where to store the certification database.  Again, I recommend leaving the default settings, and click NEXT.


23.  Verify your configuration settings, and click CONFIGURE.



24.  The configuration will run (should only take a few seconds), and then a confirmation message indicating that the Certificate Services installation SUCCEEDED should appear.  Click CLOSE.



25.  You will be returned to the Roles and Features installation wizard.  Click CLOSE.














26.  Reboot the server in order for it to receive a certificate from the CA.
27.  Test connecting to the server via an LDAP Browser tool, such as Apache Directory Studio.  Connect using LDAPS and port 636.  If you can browse the tree, then the LDAP SSL installation was successful.



56 comments:

  1. How do we download the Certificate to use with LDAPS?

    ReplyDelete
    Replies

    1. windows 7 upgrade key store review , windows 7 ultimate keystore , get windows server 2016 keys discount , cheap windows and office product keys , windows 10 activation is blocked , visual studio 2012 ultimate cd-key , buy windows 7 with a key , microsoft outlook 2010 product code , lTz4En

      windows 7 ult key sale online

      buy office pro plus 2016 keys

      cheap windows 10 pro keys for sale

      windows server 2016 standard key sale and download

      buy windows 7 ult keys online

      Delete
  2. Great question Josh! Most of the time, the software or system that you are using to access AD through a secure LDAP connection will ask you to trust the certificate that is presented. However, there are occaisions where you would want to have the certificate available for import or reference. In that case, here are the basic steps (sorry, don't have a lot of time to do screen shots, but these will get you through the process):

    1. Make a remote desktop connection or log onto the console of a DC.
    2. Via powershell, launch the Microsoft Management Console by typing MMC and pressing enter
    3. From the FILE menu choose ADD/REMOVE SNAP-IN
    4. Choose CERTIFICATES and click the ADD button
    5. Choose COMPUTER ACCOUNT
    6. Choose LOCAL COMPUTER
    7. Click FINISH
    8. Click OK
    9. Expand the CERTIFICATES
    10. Expand PERSONAL
    11. Select the DC in the RIGHT WINDOW PANE
    12. Right Click on the DC
    13. Choose ALL TASKS - EXPORT
    14. Click NEXT (3 times)
    15. Name the certificate file (will be on the DC)
    16. Copy the file and import it when needed

    ReplyDelete
  3. I noticed while using Apache Directory Studio, I get a protocol error trying to connect with LDAPS 2012. I tested with my LDAPs 2008r2 implementation which works. I made user port 636 is open. Not sure what the deal is.

    ReplyDelete
  4. I've followed your steps - including reboot - but still no luck with 636.
    Microsoft diagnostic LDP.EXE just goes:

    ld = ldap_sslinit("localhost", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error <0x51>: Fail to connect to localhost.

    Any suggestion how to confirm that AD received a certificate from the CA ?

    ReplyDelete
    Replies
    1. Did you ever get this working, I'm having the same issue.

      Delete
  5. Jan, the certificate may be issued for the specific server name (Fully qualified domain name), not localhost. It might also be issued for the IP address, so you might have to try these with LDP.

    To verify if a certificate has been issued to the (or a server) server, go to the server that is acting as the CA, login as an admin equivalent (or escalate permissions) and go to server manager. Inside of server manager, do the following:

    1. Click on the TOOLS menu (upper right corner)
    2. Select Certification Authority
    3. Expand the certificate server in the CA console
    4. Click on ISSUED CERTIFICATES
    5. Look at the column titled ISSUED COMMON NAME to verify the names that have certificates issued

    ReplyDelete
  6. Thank you very much indeed for a clear and well written article! Server now setup and working a treat! Thanks again

    ReplyDelete
  7. I am trying to install a 3rd party certificate as we do not have AD CS installed, nor do we plan to. I have generated a CSR via http://support.microsoft.com/kb/321051 document and have installed the cert to the Personal store. I see it via the MMC instructions above.

    I get the same error as Jan Navratil got:

    ld = ldap_sslinit("svr.domain.com", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error <0x51>: Fail to connect to svr.domain.com.

    Where svr.domain.com is what the certificate was generated for.

    If I do a netstat -ona, 636 is listening by the pid that lsass.exe is running on.

    This seems overly complicated!

    Thanks!

    ReplyDelete
  8. Same problem as Jay and Jan. There is somthing listening under port 636 (tested via telnet) and the certificate is assigned to the domain controller but I cannot bind by any LDAP tool to SSL 636.

    ReplyDelete
    Replies
    1. John - was the certificate bound to the IP address of the server or the FQDN? Depending on how you are trying to access AD through LDAPS, you will see this error if the cert is not tied to one or the other.

      Delete
  9. This doesn't work in scenarios where you need a public certificate from a CA.

    ReplyDelete
  10. Jim - correct, this is for self-signed certificates only. I have adjusted the title to reflect this. I originally wrote this article because I do a lot of identity and access management implementations, and creating or modifying accounts in AD requires the use of LDAPS (636) for writing/changing passwords. This is a quick way to enable SSL without having to go through the process of purchasing a third-party cert. Of course, if you have a cert or wildcard cert, I would suggest using that instead of a self-signed certificate.

    ReplyDelete
  11. Thanks it worked perfectly :) !!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  12. Please i need help . i have a new 5515 ASA and to add a server group i need LDAP to use with AD and am a bit stucked. Please help

    ReplyDelete
  13. When exporting a certificate, you need to ensure you export the private key. Otherwise, it will be unusable when importing it back.

    ReplyDelete
  14. I get this: ldap_bind(): Unable to bind to server: Can't contact LDAP server in

    only when using ldaps. Followed instructions exactly. Any tips to troubleshoot this?

    ReplyDelete
    Replies
    1. same issue that this guy has:
      http://stackoverflow.com/questions/22176924/php-on-iis-unable-to-bind-to-active-directory-over-ldaps/28950181#28950181

      Delete
    2. Never mind. I followed these steps and got things working:
      http://greg.cathell.net/php_ldap_ssl.html

      Delete
    3. This comment has been removed by the author.

      Delete
    4. Wanna give you the biggest shoutout for even mentioning this, greatly appreciated!!!! <3 haha

      Delete
  15. Thomas, to clarify for others, what did not work -- accessing Active Directory over LDAPS using a PHP program or script? Please note that the content of this article does not address any mechanisms for accessing Active Directory over LDAPS (PHP, Java, .NET, etc.); instead it covers how to setup a self-signed SSL certificate for using with LDAP in Active Directory.

    ReplyDelete
  16. Greg, my issuew is when I try to connect by apache ldap directory, witch certificate exported as you explaned, received this warning:
    The server's host name doesn't match the certificate's host name

    ReplyDelete
  17. Enrico, be sure that you use the same host name (fully qualified) in Apache that you generated the certificate for on the server. If you allowed it to autogenerate by just doing a reboot (domain controller certificate), then it used whatever the primary host name was set to on the DC. You might need to generate a certificate for the IP address and/or other DNS name manually.

    ReplyDelete
    Replies
    1. I understand tha my issue is because on the server was two certificates.
      I warkoround by disabled one certificate, left only the cert that i manually create as your guide.
      But my warried is if my domain work properly and the comunication beetwen client and server or, server-server, work properly.
      Can you help me?
      Thanks.

      Delete
    2. Greg, sorry but now I seen the log, and I need, that you give me, please, the instruction for generate IP address certificate for my AD.
      King regards.

      Delete
    3. Sorry, can someone help me?
      Regards

      Delete
  18. Awesome post, Greg, thanks!

    ReplyDelete
  19. Step by step details...really helped to configure ldaps in Active Directory. Thank you :) :)

    ReplyDelete
  20. this seems to be mainly about creating a certificate authority. I already have a certificate authority. which steps to I perform to enable LDAP over SSL on a different domain controller than the one that has the certificate authority?

    ReplyDelete
  21. Have we had experience setting this up in relation to https://asp.reflexion.net LDAPS?

    ReplyDelete
  22. how to add a user in AD server using php with SSL. please share php code which uses ssl and adds user to AD server

    ReplyDelete
  23. works great!! in first shot...thanks a lot

    ReplyDelete
  24. I had the same problems testing as a lot of other people did. What it turned out to be was a strange integration between Softerra's LDAP browser and the underlying browser and OS. You have to do some goofy tweaks behind the scene to get it to work with that product. However, if you see the port open and the cert is correctly configured, LDAPS is probably working fine, even though some tools don't connect properly with some certificates (GoDaddy's UCC, for example). I used LDP, and it worked fine. So Softerra's error was just a false positive. More reading here: http://www.tomshardware.com/forum/190372-46-binding-ldap

    ReplyDelete
  25. I did as you wrote here, but have error when try to connect. I checked and there is no issued certificates. What I did wrong? and how possible to fix it?

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. publisher 2007 cd key doesn't work , windows 7 pro key license key , upgrade key from starter to home basic , microsoft office project standard 2007 activation key , windows 7 ultimate sp1 keys , buy a windows 7 key , windows 10 activation error code 0xc004c003 , keygen windows 7 ultimate , tkjyct

    office 2016 product serial free

    windows 10 enterprise key

    office 2016 product key

    Windows 10 product key code sale

    office 2016 product key sale

    ReplyDelete
  28. Windows 7 is the most recommended OS to do almost all work without any problem, So I recommend you to activate your existing OS being purchased its license code from: ODosta Store
    Which is distributing license for almost all types of Microsoft Products with good customer support. I personally use it and have a good experience.
    You can upgrade your windows 7 or windows 8.1 pro to windows 10, But you can face some technical issues, So I recommend you to have clean installation of Windows 7 windows 8 or Windows 10 and activate it using legal license.

    ReplyDelete
  29. Hello Greg Pearson,
    Thank you very much for this article. Now i can connect on ldaps and make ldap search with my php scripts from my Linux box...

    ReplyDelete
  30. Hi. I'm new with Windows Server. Can I install this role in another server that's not the main DC? People told me is a best practice to not install another role than AD and DNS on a DC. Doing these instructions on a separated Windows Server would work for Access Manager? The software 'knows' where to find the CA? THANKS

    ReplyDelete
  31. We are a UK leased line provider with a price promise guarantee. We also offer you an instant leased line quote on our website.
    leased line providers

    ReplyDelete
  32. Thanks for your personal marvelous posting!

    I quite enjoyed reading it, you happen to be a great author.

    I will make sure to bookmark your blog and will often come back in the future.
    I want to encourage that you continue your great posts, have a nice weekend!

    ReplyDelete
  33. Nice and good article.. it is very useful for me to learn and understand easily.. thanks for sharing your valuable information and time.. please keep updating.more 
    php jobs in hyderabad.

    ReplyDelete
  34. How can unlock Active Directory accounts using slack? I would like to integrate slack with the AD through slack commands

    ndeyataapopi@gmail.com

    ReplyDelete
  35. Thank you for sharing this information. This article is very interesting and useful. Keep up the good work!

    Melbourne SEO Service

    ReplyDelete