Appendix A: Configuring LDAP over SSL Requirements for AD LDS
Applies To: Windows Server 2008
The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory Lightweight Directory Services (AD LDS). By default, LDAP traffic is not transmitted securely. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology.
To enable SSL-based encrypted connections to AD LDS, you must request and obtain a server authentication certificate from a trusted certification authority (CA) in your organization or from a trusted third-party CA. For more information about installing and using a CA, see Certificate Services (https://go.microsoft.com/fwlink/?LinkID=48952).
Configuring LDAP over SSL on a stand-alone AD LDS Server
The general steps for configuring LDAP over SSL (LDAPS) on a stand-alone AD LDS server are as follows:
Step 1: Install a server authentication certificate
Step 2: Configure permissions on the server authentication certificate
Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe
Step 1: Install a server authentication certificate
After you obtain the certificate from a trusted CA, you must install it or import it onto the server running AD LDS. You can use the Windows Server 2008 Certificates snap-in to install or import your certificates. For more information, see Certificates How To (https://go.microsoft.com/fwlink/?LinkId=99765).
When you install or import a certificate from a trusted CA onto the computer running AD LDS, we recommend that you store the certificate in the AD LDS service's personal store. However, if you want to use the certificate for applications other than AD LDS, you must store this certificate in the local computer personal certificate store.
Important
The certificate that you install or import must be marked for server authentication.
When you request the certificate, specify the fully qualified domain name (FQDN) of the computer on which your AD LDS instance is running as the identifying name for the certificate. In other words, the server authentication certificate must be issued to the FQDN of the computer on which your AD LDS instance is running.
Note
To identify the name requirements of server authentication certificates for AD LDS instances behind Network Load Balancing (NLB), see "Configuring LDAP over SSL for AD LDS instances behind Network Load Balancing" later in this guide.
To verify that the certificate is stored under the AD LDS instance's personal store
Click Start, right-click Command Prompt, and then click Run as administrator.
Type mmc to open Microsoft Management Console (MMC).
Click File, click Add/Remove Snap-in, select the Certificates snap-in in Available snap-ins, and then click Add.
In Add or Remove Snap-ins, select Service account to view the certificates that are stored in the AD LDS instance's personal store, and then click Next.
In Add or Remove Snap-ins, select Local computer, and then click Next.
In Service account, select the name of the AD LDS instance to which you want to connect over LDAPS, and then click Finish.
In Add or Remove Snap-ins, click OK.
In the console tree, expand Certificates - Service, expand ADAM_instance_name\Personal, and then expand Certificates.
Locate the installed or imported certificate. In the details pane, verify that the certificate is marked for Server Authentication in the Intended Purposes column. In the details pane, verify that the computer's fully qualified host name appears in the Issued To column.
For more information about installing server authentication certificates from either a Microsoft CA) or a non-Microsoft CA, see How to enable LDAP over SSL with a third-party certification authority (https://go.microsoft.com/fwlink/?LinkID=15129).
Step 2: Configure permissions on the server authentication certificate
Before you attempt to use the server authentication certificate with AD LDS, you must ensure that the service account under which the AD LDS instance is running has Read access to the certificate that you installed or imported.
Note
By default, AD LDS instances are installed to run under the Network service account. You can select (modify) the service account under which your AD LDS instance is installed on the Service Account Selection page of the Active Directory Lightweight Directory Services Setup Wizard.
To grant the Read permission on the server authentication certificate to the Network service account
Navigate to the following default directory where the installed or imported certificates are stored:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
Right-click the appropriate server authentication certificate, and then click Properties.
On the Security tab, click Edit.
In the Permissions dialog box, click Add.
In the Select Users, Computers, or Groups dialog box, type Network Service, and then click OK.
Step 3: Connect to the AD LDS instance over LDAPS using Ldp.exe
To test your server authentication certificate, you can open Ldp.exe on the computer that is running the AD LDS instance and then connect to this AD LDS instance that has the SSL option enabled.
To connect to the AD LDS instance over LDAPS using Ldp.exe
Click Start, and then click Server Manager.
In the console tree, double-click Roles, and then click Active Directory Lightweight Directory Services.
In the details pane, under Advanced Tools, click Ldp.exe.
On the Connection menu, click Connect.
In Server, type the FQDN of the computer that is running your AD LDS instance.
Note
To avoid errors when you use Ldp.exe to connect to an AD LDS instance over SSL, you must specify the FQDN of the computer on which your AD LDS instance is running.
In Port, type the SSL communication port number that the AD LDS instance to which you want to connect is using.
Verify that the SSL check box is selected, and then click OK.
Important
You can also use this procedure to connect to the AD LDS instance over LDAPS from a client computer. In this scenario, the client must trust the server authentication certificate that is installed on the server that is running your AD LDS instance. You can achieve this trust by adding the root certificate from the same trusted CA that issued the AD LDS server authentication certificate to the Trusted Root Certification Authorities store on the client computer.
Configuring LDAP over SSL for AD LDS instances behind Network Load Balancing
AD LDS supports NLB with LDAPS when AD LDS is running on Windows Server 2008. You can use the previous procedures to enable LDAPS for AD LDS behind NLB. However, your server authentication certificates must meet the following requirements:
So that AD LDS can select the correct certificate to hand out to clients, the certificate must be located in the AD LDS service's Personal store (programmatically known as the computer's MY certificate store) and no other certificates must be stored in this AD LDS service's Personal store.
When you request a server authentication certificate for AD LDS instances that are running behind NBL, verify that the certificate is issued to (that is, the certificate's identifying name is) the common (shared) host names and DNS suffixes that constitute the FQDNs of all the servers on which the AD LDS instances behind NBL are running.
For example, when you request a server authentication certificate for AD LDS instances running behind NLB on two Windows Server 2008 servers with FQDNs of 01ADLDS.contoso.com and 02ADLDS.contoso.com, verify that the certificate is issued to *ADLDS.contoso.com.
Or, for example, when you request a server authentication certificate for AD LDS instances running behind NLB on three Windows Server 2008 servers with FQDNs of ADLDS01.contoso.com, ADLDS02.contoso.com, and ADLDS03.contoso.com, verify that the certificate is issued to *.contoso.com.