LDAP Windows

Setup LDAPS on Windows Server

October 3, 2024
admin

Setting up LDAPS (LDAP over SSL/TLS) on a Windows Server involves several steps, including configuring the Active Directory Certificate Services (AD CS) to issue a certificate and binding that certificate to the LDAP service. Here’s a step-by-step guide:

Prerequisites

  • A Windows Server with Active Directory Domain Services (AD DS) installed.
  • Active Directory Certificate Services (AD CS) installed (if you need a Certificate Authority).
  • Administrative privileges on the server.

Step 1: Install Active Directory Certificate Services (AD CS)

  1. Open Server Manager: Click on “Manage” and then select “Add Roles and Features.”
  2. Role-Based Installation: Choose “Role-based or feature-based installation.”
  3. Select Server: Choose the server you want to configure.
  4. Select Server Roles: Check “Active Directory Certificate Services.”
  5. Install Features: Follow the prompts to install necessary features and complete the installation.

Step 2: Configure AD CS

  1. Post-Deployment Configuration: After installation, you’ll need to configure AD CS.
  2. Choose Certification Authority: Select “Certification Authority” and choose either Enterprise CA or Standalone CA (usually Enterprise CA for domain environments).
  3. Create a New CA: Follow the prompts to set up a new CA. Choose the appropriate options for your environment.
  4. Set Validity Period: Configure the validity period for the issued certificates.

Step 3: Request a Certificate for the Domain Controller

  1. Open MMC: Press Win + R, type mmc, and press Enter.
  2. Add Snap-in: Go to “File” > “Add/Remove Snap-in.”
  3. Select Certificates: Choose “Certificates” and click “Add.” Select “Computer account” and then “Local computer.”
  4. Expand Certificates: In the Certificates snap-in, navigate to “Personal” > “Certificates.”
  5. Request New Certificate: Right-click on “Certificates,” go to “All Tasks,” then “Request New Certificate.”
  6. Certificate Enrollment Wizard: Follow the wizard, selecting the appropriate certificate template (typically “Web Server”).
  7. Subject Name: Ensure that the subject name matches the Fully Qualified Domain Name (FQDN) of your domain controller (e.g., dc1.example.com).
  8. Complete the Request: After completing the request, the certificate will be issued and displayed in the Certificates store.

Step 4: Bind the Certificate to LDAP

  1. Open a Command Prompt: Run as Administrator.
  2. Use the ldapsutil Tool:
  • To bind the certificate, you need to use the following command:
   certutil -addstore "My" "<certificate thumbprint>"

Replace <certificate thumbprint> with the thumbprint of the newly issued certificate.

  1. Configure LDAP:
  • Open the Command Prompt and run the following command to enable LDAP over SSL:
   ldaps.exe /enable

Step 5: Test LDAPS

  1. Use LDP.exe: Open the LDP.exe tool (included in Windows Server).
  2. Connect to the Server:
  • Go to “Connection” > “Connect.”
  • Enter the FQDN of the domain controller and port 636, and check “SSL.”
  1. Bind to the Server:
  • Go to “Connection” > “Bind.”
  • Enter valid credentials for a user in the directory.
  1. Check for Successful Connection: If you see a successful connection message, LDAPS is set up correctly.

User Case Setup

The guide is divided into three sections:

  1. Creating a Windows Server VM in Azure
  2. Setting Up LDAP with AD LDS (Active Directory Lightweight Directory Services)
  3. Configuring LDAPS (LDAP over SSL)

Note: The steps outlined here are applicable for Windows Server versions 2008, 2012, 2012 R2, and 2016. This article will specifically focus on Windows Server 2012 R2.

Creating a Windows Server VM in Azure

  1. Create a VM named “ldapstest” using Windows Server 2012 R2 Datacenter Standard DS12 by following the instructions provided here: Create a Windows virtual machine with the Azure portal.
  2. Connect to the VM “ldapstest” using Remote Desktop Connection.

Setting Up LDAP with AD LDS

Next, we will install AD LDS on our VM “ldapstest”:

  1. Click on StartServer ManagerAdd Roles and Features. Click Next to continue.

Select Role-based or feature-based installation and then click Next.

Choose the ldapstest server from the server pool, then click Next.

Select Active Directory Lightweight Directory Services from the list of roles, then click Next.

From the list of features, leave everything unselected and click Next.

Click Next.

Click Install to begin the installation process.

Once the installation is complete, click Close.

Now that we have successfully set up the AD LDS role, let’s create a new AD LDS instance named “CONTOSO” using the wizard. Click on “Run the Active Directory Lightweight Directory Services Setup Wizard” on the previous screen, and then click Close.

Create a New AD LDS Instance “CONTOSO”

let’s create a new AD LDS instance

Select Unique Instance since this is the first time you are setting it up.

Enter CONTOSO as the Instance Name, then click Next.

By default, the LDAP port is set to 389 and the LDAPS port to 636. Let’s keep the default values and click Next.

Create a new Application Directory Partition with the name CN=MRS,DC=CONTOSO,DC=COM, then click Next.

Use the default values for the storage location of AD LDS files, then click Next.

Select Network Service Account for running the AD LDS service.

You will receive a warning prompt regarding data replication. Since we’re using a single LDAP server, click Yes to proceed.

Select the currently logged-on user as the administrator for the AD LDS instance, then click Next.

Select all the required LDIF files to import (mark all files), then click Next.

Verify that all your selections are correct, then click Next to confirm the installation.

Once the instance is set up successfully, click Finish.

Now, let’s connect to the AD LDS instance CONTOSO using ADSI Edit.

  1. Click on Start and search for ADSI Edit, then open it.
  2. Right-click on the ADSI Edit folder in the left pane and select Connect to….
  3. Fill in the required values, then click OK.

If the connection is successful, you will be able to browse the directory CN=MRS,DC=CONTOSO,DC=COM.

Setting Up LDAPS (LDAP over SSL)

The certificate used for LDAPS must meet the following three requirements:

  • Server Authentication: The certificate must be valid for server authentication, which means it must include the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1.
  • Subject Name Matching: The Subject name or the first entry in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject: CN=contosoldaps. For more details, refer to How to add a Subject Alternative Name to a secure LDAP certificate.
  • Private Key Access: The host machine account must have access to the private key.

Now, let’s use Active Directory Certificate Services to create a certificate for LDAPS. If you already have a certificate that meets the above requirements, you can skip this step.

  1. Click on StartServer ManagerAdd Roles and Features.
  2. Click Next to proceed.

Select Role-based or feature-based installation and then click Next.

Choose the ldapstest server from the server pool, then click Next.

Select Active Directory Certificate Services from the list of roles, then click Next.

Leave the list of features unselected and click Next.

Click Next to continue.

Select Certificate Authority from the list of roles, then click Next.

Click Install to confirm the installation.

Once the installation is complete, click Close.

Create a Certificate Using the AD CS Configuration

Now, let’s create a certificate using the AD CS Configuration Wizard.

  1. Click on “Configure Active Directory Certificate Services on the destination server” in the previous screen, then click Close.
  2. Since the currently logged-on user, azureuser, belongs to the local Administrators group, you can use this account to configure the role services. Click Next to continue.

Select Certification Authority from the list of roles, then click Next.

Since this is a local setup without a domain, select Standalone CA. Then click Next.

Select Root CA as the type of CA, then click Next.

Since we do not have a private key, select the option to create a new one. Then click Next.

Select SHA1 as the hash algorithm, then click Next.

Enter LDAPSTEST as the name of the CA to match the hostname, then click Next.

Specify the validity period of the certificate by selecting the default option of 5 years, then click Next.

Select the default database locations, then click Next.

Click Configure to finalize the setup.

Once the configuration is successful, click Close.

Now, let’s view the generated certificate.

  1. Click on Start and search for Manage Computer Certificates, then open it.
  2. Navigate to PersonalCertificates and verify that the certificate named LDAPSTEST is present.

To ensure the host machine account has access to the private key, follow these steps:

  1. Open Command Prompt in Administrator mode.
  2. Run the following command to find the Unique Container Name:
   certutil -verifystore MY
  1. Look for the Unique Container Name in the output, which will help you verify access to the private key.

The private key will be located at:

C:\ProgramData\Microsoft\Crypto\Keys\<UniqueContainerName>

To add read permissions for NETWORK SERVICE:

  1. Navigate to the folder, for example:
   C:\ProgramData\Microsoft\Crypto\Keys\874cb49a696726e9f435c1888b69f317_d3e61130-4cd8-4288-a344-7784647ff8c4
  1. Right-click on the folder and select Properties.
  2. Go to the Security tab.
  3. Click Edit, then Add.
  4. In the dialog that appears, type NETWORK SERVICE and click Check Names to verify.
  5. Once verified, click OK.
  6. Select NETWORK SERVICE from the list and check the Read permission box.
  7. Click Apply, then OK to save your changes.

To import the certificate into the JRE keystore, you’ll first need to export it as a .CER file. Follow these steps:

  1. Click on Start and search for Manage Computer Certificates, then open it.
  2. Navigate to Personal and locate the LDAPSTEST certificate.
  3. Right-click on the LDAPSTEST certificate and select Export.
  4. Follow the prompts in the Certificate Export Wizard to export the certificate as a .CER file. Make sure to select the option to export the public key only.
  5. Choose a location to save the exported .CER file and complete the export process.

This opens the Certificate Export Wizard. Click Next to proceed.

Select the option to Not export the private key, then click Next.

Select Base-64 encoded X.509 (.CER) file format, then click Next.

Choose to export the .CER file to your Desktop, then click Next.

Click Finish to complete the certificate export process.

To import the certificate into the JRE keystore, follow these steps:

  1. Open Command Prompt in Administrator mode.
  2. Navigate to the JRE bin directory:
   cd "C:\Program Files\Java\jre1.8.0_92\bin\"
  1. Run the following command to import the certificate:
   keytool -importcert -alias "ldapstest" -keystore "C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts" -storepass changeit -file "C:\Users\azureuser\Desktop\ldapstest.cer"
  1. When prompted, type “yes” to trust the certificate, then press Enter.

The certificate will now be imported into the JRE keystore.

To connect to the LDAP server using the ldp.exe tool:

  1. Type “yes” in the Trust this certificate prompt when prompted.
  2. Once the certificate is successfully added to the JRE keystore, you can connect to the LDAP server over SSL.

Now, let’s connect to the LDAP server using ldp.exe:

  1. Click on Start and search for ldp.exe, then open it.
  2. Go to Connection in the menu, then select Connect.
  3. Fill in the following parameters:
  • For LDAP connection:
    • Server: ldapstest
    • Port: 389
  • For LDAPS connection:
    • Server: ldapstest
    • Port: 636
  1. Click OK to connect.

You should be able to connect to the LDAP server with both the LDAP and LDAPS protocols.

If the connection is successful, you will see a message in the ldp.exe tool indicating that the connection has been established. This message typically includes:

  • Connected to ldapstest:389 (for LDAP) or Connected to ldapstest:636 (for LDAPS).
  • Additional information about the connection status and any relevant details.

You should also see the server’s response confirming the successful bind to the LDAP server.

To connect to LDAPS (LDAP over SSL):

  1. In the ldp.exe tool, go to ConnectionConnect.
  2. Enter the following parameters:
  • Server: ldapstest
  • Port: 636
  • Check the box for SSL.
  1. Click OK to connect.

If the connection is successful, you will see a message confirming the secure connection to the LDAP server.

If the connection is successful, you will see a message in the ldp.exe tool indicating that the connection has been established. The message typically includes:

  • Connected to ldapstest:636 (for LDAPS)
  • Confirmation that the connection is secure
  • Any relevant details about the connection status

Additionally, you might see a successful bind message, confirming that you are connected to the LDAP server over SSL.

Leave a Reply

Your email address will not be published. Required fields are marked *