Monday, November 19, 2012

Enabling LDAP SSL in Windows 2012 (Self-Signed Certificates)



As expected in the world of Microsoft Windows Server 2012 and Active Directory, the interface and methods of managing certain functions changed.  One thing in particular that I often have to do as a result of interfacing with AD through LDAP, is to enable a Certificate Authority role in the AD environment so that we can connect and manage objects through LDAP via SSL.

Although this is not any more complicated than in Windows Server 2008, it just appears differently due to managing everything through Server Administrator, the new built-in utility to manage all aspects of Windows Server 2012.  Fortunately, I took the time to capture screenshots and document the process of enabling a Certificate Authority on a DC, which I have outlined below.  Please note that in order for DCs to receive certificates, they will most likely need to be rebooted.



1.  Log on to the server that you intend to add the CA role to (in my case this was a DC).
2.  Launch the Server Administrator tool (if it did not launch automatically) to get to the dashboard.


3.  In server administrator, select ADD ROLES AND FEATURES from the MANAGE Menu.  You will get prompted with a dialog box to confirm that you want to add roles through the wizard.  Click NEXT.



4.    You will be prompted to select the installation type, choose ROLE BASED OR FEATURE BASED INSTALLATION.  Click Next.


 5.  You will be prompted to select the server to install the role on.  Select the server in the selection list and then click NEXT.




 6.  Select the ROLE that you want to install.  In this case, select CERTIFICATE SERVICES and click NEXT.


7.  You will see a dialog box prompting you for additional features.  Click NEXT.





8.  Next, you will receive a notification that after installing Certificate Services, the domain and server cannot be modified.  Click NEXT.




9.  You will be prompted to select the specific Role Services within the Certificate Services role that you want to enable.  Leave CERTIFICATION AUTHORITY checked and click NEXT.





10.  Next you will be asked about restarting the server if it is required after install.  Make your selection and click NEXT.




11.  After clicking NEXT, the installation of the role will begin.



12.  Once the installation has finished, a new role block will appear in the server administrator dashboard.  Click NEXT to continue.






13.  After completing PART 1, you will be returned to a completion screen showing that the Certificate Services role has been installed successfully.  Click on CONFIGURE ACTIVE DIRECTORY CERTIFICATE SERVICES ON DESTINATION SERVER.



14.  Verify that you are using the proper credentials to configure the Certificate Services orle, if not change to the proper account.  Click NEXT.



15.  Again, select the specific function of Certificate Services to configure.  Leave Certification Authority selected and click NEXT.



16.  Specify the Setup Type for the Certification Authority - choose ENTERPRISE CA and click NEXT.



17.  Next, specify the Type of CA.  Select ROOT CA and click NEXT.



18.  Next, specify the private key to be created.  Select NEW PRIVATE KEY and click NEXT.



19.  Next, leave the cryptography as it is and click NEXT.



20.  Next, specify the Certificate Name.  I recommend leaving it as default, as it names it based on the domain and server name that you are installing the CA on.  Click NEXT.





21.  Specify the Validity Period.  The default is 5 years, I recommend 25 years to ensure that you will not have to recertify for quite a while.


22.  Next you will need to specify where to store the certification database.  Again, I recommend leaving the default settings, and click NEXT.


23.  Verify your configuration settings, and click CONFIGURE.



24.  The configuration will run (should only take a few seconds), and then a confirmation message indicating that the Certificate Services installation SUCCEEDED should appear.  Click CLOSE.



25.  You will be returned to the Roles and Features installation wizard.  Click CLOSE.














26.  Reboot the server in order for it to receive a certificate from the CA.
27.  Test connecting to the server via an LDAP Browser tool, such as Apache Directory Studio.  Connect using LDAPS and port 636.  If you can browse the tree, then the LDAP SSL installation was successful.



123 comments:

  1. How do we download the Certificate to use with LDAPS?

    ReplyDelete
    Replies

    1. windows 7 upgrade key store review , windows 7 ultimate keystore , get windows server 2016 keys discount , cheap windows and office product keys , windows 10 activation is blocked , visual studio 2012 ultimate cd-key , buy windows 7 with a key , microsoft outlook 2010 product code , lTz4En

      windows 7 ult key sale online

      buy office pro plus 2016 keys

      cheap windows 10 pro keys for sale

      windows server 2016 standard key sale and download

      buy windows 7 ult keys online

      Delete
    2. Nakita ko ang isang puna dito ilang linggo na ang nakakaraan tungkol kay Dr Akhere at nagpasya akong makipag-ugnay sa kanya tulad ng itinuro, salamat sa lalaking ito sa pagdala ng kagalakan sa akin tulad ng hinahangad ko. Sinunod ko ang mga tagubilin na ibinigay niya sa iba pa upang maibalik ang aking kasintahan na iniwan ako at ang mga bata sa loob ng 3 taon ngayon, ngunit salamat kay Dr Akhere dahil bumalik sila sa akin ngayon para sa kabutihan at masaya kaming magkasama. mangyaring makipag-ugnay sa kanya para sa tulong din kung may problema sa relasyon sa pamamagitan ng email sa: AKHERETEMPLE@gmail.com o tumawag / whatsapp: +2349057261346. At magpatotoo para sa iyong sarili.









































































      Nakita ko ang isang puna dito ilang linggo na ang nakakaraan tungkol kay Dr Akhere at nagpasya akong makipag-ugnay sa kanya tulad ng itinuro, salamat sa lalaking ito sa pagdala ng kagalakan sa akin tulad ng hinahangad ko. Sinunod ko ang mga tagubilin na ibinigay niya sa iba pa upang maibalik ang aking kasintahan na iniwan ako at ang mga bata sa loob ng 3 taon ngayon, ngunit salamat kay Dr Akhere dahil bumalik sila sa akin ngayon para sa kabutihan at masaya kaming magkasama. mangyaring makipag-ugnay sa kanya para sa tulong din kung may problema sa relasyon sa pamamagitan ng email sa: AKHERETEMPLE@gmail.com o tumawag / whatsapp: +2349057261346. At magpatotoo para sa iyong sarili.

      Delete
  2. Great question Josh! Most of the time, the software or system that you are using to access AD through a secure LDAP connection will ask you to trust the certificate that is presented. However, there are occaisions where you would want to have the certificate available for import or reference. In that case, here are the basic steps (sorry, don't have a lot of time to do screen shots, but these will get you through the process):

    1. Make a remote desktop connection or log onto the console of a DC.
    2. Via powershell, launch the Microsoft Management Console by typing MMC and pressing enter
    3. From the FILE menu choose ADD/REMOVE SNAP-IN
    4. Choose CERTIFICATES and click the ADD button
    5. Choose COMPUTER ACCOUNT
    6. Choose LOCAL COMPUTER
    7. Click FINISH
    8. Click OK
    9. Expand the CERTIFICATES
    10. Expand PERSONAL
    11. Select the DC in the RIGHT WINDOW PANE
    12. Right Click on the DC
    13. Choose ALL TASKS - EXPORT
    14. Click NEXT (3 times)
    15. Name the certificate file (will be on the DC)
    16. Copy the file and import it when needed

    ReplyDelete
  3. I noticed while using Apache Directory Studio, I get a protocol error trying to connect with LDAPS 2012. I tested with my LDAPs 2008r2 implementation which works. I made user port 636 is open. Not sure what the deal is.

    ReplyDelete
  4. I've followed your steps - including reboot - but still no luck with 636.
    Microsoft diagnostic LDP.EXE just goes:

    ld = ldap_sslinit("localhost", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error <0x51>: Fail to connect to localhost.

    Any suggestion how to confirm that AD received a certificate from the CA ?

    ReplyDelete
    Replies
    1. Did you ever get this working, I'm having the same issue.

      Delete
  5. Jan, the certificate may be issued for the specific server name (Fully qualified domain name), not localhost. It might also be issued for the IP address, so you might have to try these with LDP.

    To verify if a certificate has been issued to the (or a server) server, go to the server that is acting as the CA, login as an admin equivalent (or escalate permissions) and go to server manager. Inside of server manager, do the following:

    1. Click on the TOOLS menu (upper right corner)
    2. Select Certification Authority
    3. Expand the certificate server in the CA console
    4. Click on ISSUED CERTIFICATES
    5. Look at the column titled ISSUED COMMON NAME to verify the names that have certificates issued

    ReplyDelete
  6. Thank you very much indeed for a clear and well written article! Server now setup and working a treat! Thanks again

    ReplyDelete
  7. I am trying to install a 3rd party certificate as we do not have AD CS installed, nor do we plan to. I have generated a CSR via http://support.microsoft.com/kb/321051 document and have installed the cert to the Personal store. I see it via the MMC instructions above.

    I get the same error as Jan Navratil got:

    ld = ldap_sslinit("svr.domain.com", 636, 1);
    Error 0 = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION, 3);
    Error 81 = ldap_connect(hLdap, NULL);
    Server error:
    Error <0x51>: Fail to connect to svr.domain.com.

    Where svr.domain.com is what the certificate was generated for.

    If I do a netstat -ona, 636 is listening by the pid that lsass.exe is running on.

    This seems overly complicated!

    Thanks!

    ReplyDelete
  8. Same problem as Jay and Jan. There is somthing listening under port 636 (tested via telnet) and the certificate is assigned to the domain controller but I cannot bind by any LDAP tool to SSL 636.

    ReplyDelete
    Replies
    1. John - was the certificate bound to the IP address of the server or the FQDN? Depending on how you are trying to access AD through LDAPS, you will see this error if the cert is not tied to one or the other.

      Delete
  9. This doesn't work in scenarios where you need a public certificate from a CA.

    ReplyDelete
  10. Jim - correct, this is for self-signed certificates only. I have adjusted the title to reflect this. I originally wrote this article because I do a lot of identity and access management implementations, and creating or modifying accounts in AD requires the use of LDAPS (636) for writing/changing passwords. This is a quick way to enable SSL without having to go through the process of purchasing a third-party cert. Of course, if you have a cert or wildcard cert, I would suggest using that instead of a self-signed certificate.

    ReplyDelete
  11. Thanks it worked perfectly :) !!!!!!!!!!!!!!!!!!!!!!!!

    ReplyDelete
  12. Please i need help . i have a new 5515 ASA and to add a server group i need LDAP to use with AD and am a bit stucked. Please help

    ReplyDelete
  13. When exporting a certificate, you need to ensure you export the private key. Otherwise, it will be unusable when importing it back.

    ReplyDelete
  14. I get this: ldap_bind(): Unable to bind to server: Can't contact LDAP server in

    only when using ldaps. Followed instructions exactly. Any tips to troubleshoot this?

    ReplyDelete
    Replies
    1. same issue that this guy has:
      http://stackoverflow.com/questions/22176924/php-on-iis-unable-to-bind-to-active-directory-over-ldaps/28950181#28950181

      Delete
    2. Never mind. I followed these steps and got things working:
      http://greg.cathell.net/php_ldap_ssl.html

      Delete
    3. This comment has been removed by the author.

      Delete
    4. Wanna give you the biggest shoutout for even mentioning this, greatly appreciated!!!! <3 haha

      Delete
  15. Thomas, to clarify for others, what did not work -- accessing Active Directory over LDAPS using a PHP program or script? Please note that the content of this article does not address any mechanisms for accessing Active Directory over LDAPS (PHP, Java, .NET, etc.); instead it covers how to setup a self-signed SSL certificate for using with LDAP in Active Directory.

    ReplyDelete
  16. Greg, my issuew is when I try to connect by apache ldap directory, witch certificate exported as you explaned, received this warning:
    The server's host name doesn't match the certificate's host name

    ReplyDelete
  17. Enrico, be sure that you use the same host name (fully qualified) in Apache that you generated the certificate for on the server. If you allowed it to autogenerate by just doing a reboot (domain controller certificate), then it used whatever the primary host name was set to on the DC. You might need to generate a certificate for the IP address and/or other DNS name manually.

    ReplyDelete
    Replies
    1. I understand tha my issue is because on the server was two certificates.
      I warkoround by disabled one certificate, left only the cert that i manually create as your guide.
      But my warried is if my domain work properly and the comunication beetwen client and server or, server-server, work properly.
      Can you help me?
      Thanks.

      Delete
    2. Greg, sorry but now I seen the log, and I need, that you give me, please, the instruction for generate IP address certificate for my AD.
      King regards.

      Delete
    3. Sorry, can someone help me?
      Regards

      Delete
  18. Awesome post, Greg, thanks!

    ReplyDelete
  19. Step by step details...really helped to configure ldaps in Active Directory. Thank you :) :)

    ReplyDelete
  20. this seems to be mainly about creating a certificate authority. I already have a certificate authority. which steps to I perform to enable LDAP over SSL on a different domain controller than the one that has the certificate authority?

    ReplyDelete
  21. Have we had experience setting this up in relation to https://asp.reflexion.net LDAPS?

    ReplyDelete
  22. how to add a user in AD server using php with SSL. please share php code which uses ssl and adds user to AD server

    ReplyDelete
  23. works great!! in first shot...thanks a lot

    ReplyDelete
  24. I had the same problems testing as a lot of other people did. What it turned out to be was a strange integration between Softerra's LDAP browser and the underlying browser and OS. You have to do some goofy tweaks behind the scene to get it to work with that product. However, if you see the port open and the cert is correctly configured, LDAPS is probably working fine, even though some tools don't connect properly with some certificates (GoDaddy's UCC, for example). I used LDP, and it worked fine. So Softerra's error was just a false positive. More reading here: http://www.tomshardware.com/forum/190372-46-binding-ldap

    ReplyDelete
  25. I did as you wrote here, but have error when try to connect. I checked and there is no issued certificates. What I did wrong? and how possible to fix it?

    ReplyDelete
  26. This comment has been removed by the author.

    ReplyDelete
  27. Hello Greg Pearson,
    Thank you very much for this article. Now i can connect on ldaps and make ldap search with my php scripts from my Linux box...

    ReplyDelete
  28. Hi. I'm new with Windows Server. Can I install this role in another server that's not the main DC? People told me is a best practice to not install another role than AD and DNS on a DC. Doing these instructions on a separated Windows Server would work for Access Manager? The software 'knows' where to find the CA? THANKS

    ReplyDelete
  29. We are a UK leased line provider with a price promise guarantee. We also offer you an instant leased line quote on our website.
    leased line providers

    ReplyDelete
  30. How can unlock Active Directory accounts using slack? I would like to integrate slack with the AD through slack commands

    ndeyataapopi@gmail.com

    ReplyDelete
  31. Thank you for sharing this information. This article is very interesting and useful. Keep up the good work!

    Melbourne SEO Service

    ReplyDelete
  32. Thanks for the information. it is really nice post. For McAfee Customer Service PLease Contact Mcafee Phone Number 0800-014-8929. McAfee UK

    ReplyDelete
  33. Good post. I be taught one thing more challenging on totally different blogs everyday. It should always be stimulating to learn content from other writers and follow a bit of something from their store. I’d desire to use some with the content on my blog whether or not you don’t mind. Natually I’ll offer you a hyperlink in your web blog. Thanks for sharing. best online casino

    ReplyDelete
  34. "Thanks for sharing. i really appreciate it that you shared with us such a informative post.
    Mcafee UK | Mcafee Number"

    ReplyDelete
  35. McAfee is a comprehensive solution for all the security measures needed on systems as well as on mobiles and other devices but being technical software product this antivirus has its own technical issues and errors to deal with in order to fix those contact McAfee Help Number UK | McAfee Contact Number UK

    ReplyDelete
  36. Great blog! Its so informative.. Thank you for sharing.
    Avast is a product based on latest advanced technologies and features working as a security providing software that keeps all the malware, spyware and Trojans away from the system. In order to keep the systems smooth working well maintained for any type of technical assistance ring the technician at avast Antivirus Support.
    Avast Help Number UK | Avast Contact Number UK

    ReplyDelete
  37. Hello,
    Nice article… very useful
    thanks for sharing the information.
    servicenow online training

    ReplyDelete
  38. Nice and good article. It is very useful for me to learn and understand easily. Thanks for sharing your valuable information and time.
    it job support

    ReplyDelete
  39. Great Content Amazing, you can buy cheapest Perfect Money Hosting from here.

    ReplyDelete
  40. Well article, interesting to read…
    Thanks for sharing the useful information
    mulesoft training online

    ReplyDelete
  41. The writer has done magic with the words the blog post is very well framed.
    My McAfee antivirus was unable to detect viruses from the system but after reading this blog I got the glitch fixed and the software is now working fine.
    Mcafee UK | Mcafee Contact Number

    ReplyDelete
  42. This blog post will surely be of help to a lot of people the writer has written it very well.
    The blog is written very well, if you are facing any issue with your Brother printer then for solutions you can visit…….
    Brother Printer UK | Brother Printer Technical Support Number

    ReplyDelete
  43. Hello,
    Nice article… very useful
    thanks for sharing the information.
    service now administration training

    ReplyDelete
  44. it job support
    Great post . thanks for sharing a clear step by step process on getting in the nice.
    thank you.

    ReplyDelete
  45. salesforce certification
    Your content is very impressive and thanks for sharing this article. its very useful.

    ReplyDelete
  46. Hi, that is really Gorgeous BLog
    After reading this post, I must say that the writer has great command over the English language. The sentences are framed very well.
    Just call +44-808-196-1484 to get immediate solution of your Gmail error. The technical team is highly professional and available 24x7 to assist you in any manner they can.

    Visit us Now: Gmail Support Number UK

    ReplyDelete
  47. This is best blog and just i am finding new I got in your blog unique content and knowledgeable blog and like you some here I have seen this and related you Thank you.
    Avast Login
    garmin.com/express
    avg login
    bullguard login
    mcafee.com/activate

    ReplyDelete
  48. PcSupremo is available 27x7 for customer support for norton antivirus, resolve norton antivirus error, Norton antivirus Uk, & troubleshoot all your problems for Norton security UK.
    Norton Antivirus Support uk

    ReplyDelete
  49. Thanks for the information. it is really nice post. For Netgear Router Support PLease Contact 0800 820 3300. Netgear Support UK

    ReplyDelete
  50. I am very much impressed by the talent of the writer, if in case your Bullguard antivirus is troubling you then you should visit: Bullguard Support Number UK

    ReplyDelete
  51. I am very much impressed by the talent of the writer, if in case your Bullguard antivirus is troubling you then you should visit: Bullguard Support Number UK

    ReplyDelete
  52. Pretty article! I found some useful information in your blog, it was awesome to read, thanks for sharing this great content to my vision, keep sharing.
    microsoft azure training

    ReplyDelete
  53. Very informative. Thanks for sharing.
    We help IT professionals by providing them online On-Job Support in 250+ technologies. Our services are very reliable and most affordable. Call Today for free demo.
    Best Online Training & Job Support

    ReplyDelete
  54. Hi , Just wanted to say thanks for this fantastic article.
    BT Mail

    ReplyDelete
  55. Get end-to-end assistance for international logistics solutions, from interacting with countless freight forwarding agents to booking logistic containers, everything in real-time.Tradologie.com brings all exporters and agents on one platform for transparent and fair dealing. Experience the next-gen digital platform only designed for bulk procurement.

    ReplyDelete
  56. Among all the Online Tarot Courses available today, Mrs. Rrachita Gupta offers the best course on the occult science of Tarot Card Reading. Join her course today and learn how to predict a person’s future through the mystical Tarot Cards!

    ReplyDelete
  57. This comment has been removed by the author.

    ReplyDelete

  58. Taking regarding the safety and security and the protection of the computer and the devices we can say that BullGuard antivirus is the best choice for that as the software has been serving for the protection of the devices as well as the computers against disturbing unwanted elements like malware, spyware, Trojans and viral attacks. https://williamsonalina.hatenablog.com/entry/2021/02/10/175442Bullguard Antivirus Customer Support

    ReplyDelete
  59. I was looking for something different on Netflix and hence I got my answer by reading this post. This post has been written by a well-experienced writer and all information seems reliable. At Netflix Toll Free Support Service UK

    ReplyDelete
  60. "mcafee is an antivirus software providers that secure your computer for virus , worms ,trojens and other mailcious program .it provides full range of
    security product like antivirus , firewall etc .you have to do mcafee antivirus download "

    ReplyDelete
  61. Placentia Placerville Playa Del Rey Pleasant Hill Pleasanton Plymouth Point Mobile Phones Price Bd

    ReplyDelete
  62. Leolist Windsor


    Are you Searching for Leolist Windsor? We have the best alternative of Leolist Windsor here on https://windsor.xgirl.ca/
    Visit https://windsor.xgirl.ca/ today and find the best results related to Leolist Windsor.

    ReplyDelete
  63. Nakita ko ang isang puna dito ilang linggo na ang nakakaraan tungkol kay Dr Akhere at nagpasya akong makipag-ugnay sa kanya tulad ng itinuro, salamat sa lalaking ito sa pagdala ng kagalakan sa akin tulad ng hinahangad ko. Sinunod ko ang mga tagubilin na ibinigay niya sa iba pa upang maibalik ang aking kasintahan na iniwan ako at ang mga bata sa loob ng 3 taon ngayon, ngunit salamat kay Dr Akhere dahil bumalik sila sa akin ngayon para sa kabutihan at masaya kaming magkasama. mangyaring makipag-ugnay sa kanya para sa tulong din kung may problema sa relasyon sa pamamagitan ng email sa: AKHERETEMPLE@gmail.com o tumawag / whatsapp: +2349057261346. At magpatotoo para sa iyong sarili.









































































    Nakita ko ang isang puna dito ilang linggo na ang nakakaraan tungkol kay Dr Akhere at nagpasya akong makipag-ugnay sa kanya tulad ng itinuro, salamat sa lalaking ito sa pagdala ng kagalakan sa akin tulad ng hinahangad ko. Sinunod ko ang mga tagubilin na ibinigay niya sa iba pa upang maibalik ang aking kasintahan na iniwan ako at ang mga bata sa loob ng 3 taon ngayon, ngunit salamat kay Dr Akhere dahil bumalik sila sa akin ngayon para sa kabutihan at masaya kaming magkasama. mangyaring makipag-ugnay sa kanya para sa tulong din kung may problema sa relasyon sa pamamagitan ng email sa: AKHERETEMPLE@gmail.com o tumawag / whatsapp: +2349057261346. At magpatotoo para sa iyong sarili.

    ReplyDelete
  64. How Avast Antivirus Protect Computer

    It blocks many threats that come under the Malware category, such as viruses, adware, trojans, and other threats.

    ReplyDelete
  65. Digital marketing agency are doing really well and I fee such topics are well needed in this industry to understand the need of taking business online and engage with a larger audience.

    ReplyDelete
  66. This comment has been removed by the author.

    ReplyDelete
  67. Nice and good article.. it is very useful for me to learn and understand easily.. thanks for sharing your valuable information
    Salesforce CPQ Training
    Salesforce CPQ Online Training

    ReplyDelete
  68. Very awesome post! I like that and very interesting content.
    pega testing
    pega testing training

    ReplyDelete
  69. Webroot antivirus software is one of the good which offers basic protections

    at the low price and make sure this is top two tiers including e-commerce and banking protections.

    Source - What is Webroot Antivirus

    ReplyDelete
  70. You have an really great post to share with us colourist logo

    ReplyDelete
  71. This is great website, thanks for the share. Also, visit our website if you get knowledge Write For Us Telemarketing

    ReplyDelete
  72. The blog is framed very well, I am very happy with the content quality, for any help over McAfee antivirus workings please connect with experts. Mcafee customer care

    ReplyDelete
  73. wow what is this really? Why aren't you doing this now? I think it's so awesome and awesome I have to 순천출장아로마
    여수출장아로마
    익산출장아로마
    정읍출장아로마
    남원출장아로마 share this with my friends and my son and wife right now I feel like I found an oasis in the desert Thank you so much for finding your site.

    ReplyDelete
  74. How to Get ESET Antivirus Refund in 2023?
    It only takes a few minutes to unsubscribe from ESET, request a refund, and uninstall ESET from your device. You can cancel ESET subscription with a single click on the auto-renew button on ESET eStore, but you will need to call the ESET sales team to request a 30-day money-back guarantee.

    For quick query dial
    0800-090-3202

    Read more - How to Get ESET Antivirus Refund in 2023

    ReplyDelete
  75. How to request a refund for a Kaspersky?
    2 minutes, 18 seconds Read
    It is very easy for to Kaspersky unsubscribe and gets a refund. However, how long you have to request a refund depends on your location and where you purchased Kaspersky.

    For quick query dial
    0800-090-3222

    Read more - How to request a refund for a Kaspersky

    ReplyDelete