TechNet
Products
IT Resources
Downloads
Training
Support
Products
Windows
Windows Server
System Center
Microsoft Edge
Office
Office 365
Exchange Server
SQL Server
SharePoint Products
Skype for Business
See all products »
Resources
Channel 9 Video
Evaluation Center
Learning Resources
Microsoft Tech Companion App
Microsoft Technical Communities
Microsoft Virtual Academy
Script Center
Server and Tools Blogs
TechNet Blogs
TechNet Flash Newsletter
TechNet Gallery
TechNet Library
TechNet Magazine
TechNet Wiki
Windows Sysinternals
Virtual Labs
Solutions
Networking
Cloud and Datacenter
Security
Virtualization
Updates
Service Packs
Security Bulletins
Windows Update
Trials
Windows Server 2016
System Center 2016
Windows 10 Enterprise
SQL Server 2016
See all trials »
Related Sites
Microsoft Download Center
Microsoft Evaluation Center
Drivers
Windows Sysinternals
TechNet Gallery
Training
Expert-led, virtual classes
Training Catalog
Class Locator
Microsoft Virtual Academy
Free Windows Server 2012 courses
Free Windows 8 courses
SQL Server training
Microsoft Official Courses On-Demand
Certifications
Certification overview
Special offers
MCSE Cloud Platform and Infrastructure
MCSE: Mobility
MCSE: Data Management and Analytics
MCSE Productivity
Other resources
Microsoft Events
Exam Replay
Born To Learn blog
Find technical communities in your area
Azure training
Official Practice Tests
Support options
For business
For developers
For IT professionals
For technical support
Support offerings
More support
Microsoft Premier Online
TechNet Forums
MSDN Forums
Security Bulletins & Advisories
Not an IT pro?
Microsoft Customer Support
Microsoft Community Forums
Sign in
Home
Library
Wiki
Learn
Gallery
Downloads
Support
Forums
Blogs
Resources For IT Professionals
United States (English)
Россия (Pусский)
中国(简体中文)
Brasil (Português)
Skip to locale bar
Editing: LDAP over SSL (LDAPS) Certificate
Wiki
>
TechNet Articles
>
LDAP over SSL (LDAPS) Certificate
Article
Edit
History
Title
<html> <body> <span style="font-size:8px"><span style="font-size:10px">Applies to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012</span><br> </span><span style="font-size:10px"><br> [TOC]</span><br> <h4><a name="Reasons">Reasons for Enabling LDAPS</a></h4> By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a <a title="Link to Wikipedia definition of network monitoring" href="http://en.wikipedia.org/wiki/Network_monitoring" target="_blank"> network monitoring</a> device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials.<br> <blockquote><span style="color:rgb(31,73,125); background-color:rgb(238,236,225)"><strong style="background-color:rgb(191,191,191)">Note</strong> </span><span style="background-color:rgb(238,236,225)">Only LDAP data transfers are exposed. Other authentication or authorization data using Kerberos, SASL, and even NTLM have their own encryption systems. The Microsoft Management Console (mmc) snap-ins, since <a title="LDAP sign and seal" href="http://support.microsoft.com/kb/811422" target="_blank"> Windows 2000 SP4 have used LDAP sign and seal</a> or <a title="Link to definition on Wikipedia" href="http://en.wikipedia.org/wiki/Simple_Authentication_and_Security_Layer" target="_blank"> Simple Authentication and Security Layer (SASL)</a> and </span><a title="How Active Directory Replication works" href="http://technet.microsoft.com/en-us/library/cc772726%28WS.10%29.aspx" style="background-color:rgb(238,236,225)">replication between domain controllers is encrypted using Kerberos</a>.<br> </blockquote> Reasons for enabling Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) / Transport Layer Security (TLS) also known as LDAPS include:<br> <ul> <li>Some applications authenticate with Active Directory Domain Services (AD DS) through simple BIND. As simple BIND exposes the users’ credentials in clear text, use of Kerberos is preferred. If simple BIND is necessary, using SSL/TLS to encrypt the authentication session is strongly recommended. </li><li>Use of proxy binding or password change over LDAP, which requires LDAPS. (e.g. <a title="Bind to an AD LDS instace with a proxy object" href="http://technet.microsoft.com/en-us/library/cc794922%28WS.10%29.aspx" target="_blank"> Bind to an AD LDS Instance Through a Proxy Object</a>) </li><li>Some applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) require encrypted communications. To encrypt LDAP communications in a Windows network, you can enable LDAP over SSL (LDAPS). </li></ul> <blockquote><span style="color:rgb(0,0,0); background-color:rgb(238,236,225)"><span style="color:rgb(255,0,0); background-color:rgb(191,191,191)"><strong>Warning</strong></span> Before you install a certification authority (CA), you should be aware that you are creating or extending a public key infrastructure (PKI). Be sure to design a PKI that is appropriate for your organization. See <a title="TechNet Wiki article on designing a PKI infrastructure" href="http://social.technet.microsoft.com/wiki/contents/articles/pki-design-brief-overview.aspx" target="_blank"> PKI Design Brief Overview</a> for additional information.</span><br> </blockquote> <br> <h4><a name="SingleTierLDAPS">Enabling LDAPS for domain controllers using a single-tier CA hierarchy</a></h4> LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller (although installing a CA on a domain controller is not a recommended practice). You can see examples of this in the <a title="Base TLG for Windows Server 2008 R2" href="http://technet.microsoft.com/en-us/library/gg314535%28WS.10%29.aspx" target="_blank"> Test Lab Guide Base Configuration for Windows Server 2008 R2</a>, <a title="Building an Enterprise Root CA for small and medium businesses" href="http://technet.microsoft.com/en-us/library/cc875810.aspx" target="_blank"> Building an Enterprise Root Certification Authority in Small and Medium Businesses</a>, and <a title="Blog on installing Enterprise Root CA using Windows Server 2008 R2" href="http://araihan.wordpress.com/2009/10/05/windows-server-2008-active-directory-certificate-services-ad-cs/" target="_blank"> Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2</a>.<br> <br> <h4><a name="MultiTierLDAPS">Enabling LDAPS for domain controllers using a multi-tier CA hierarchy</a></h4> When you have a multi-tier (such as a two-tier or three-tier) CA hierarchy, you will not automatically have the appropriate certificate for LDAPS authentication on the domain controller. In order to enable LDAPS in a multi-tier CA hierarchy, you must request a certificate that meets the following requirements:<br> <ul> <li>Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1 </li><li>The Subject name or the first name in the Subject Alternative Name (SAN) must match the <a title="Definition of FQDN on Wikipedia" href="http://en.wikipedia.org/wiki/FQDN" target="_blank"> Fully Qualified Domain Name (FQDN)</a> of the host machine, such as Subject:CN=server1.contoso.com. For more information, see <a title="Explains adding a SAN to a LDAPS certificate" href="http://support.microsoft.com/kb/931351" target="_blank"> How to add a Subject Alternative Name to a secure LDAP certificate</a>. </li><li>The host machine account must have access to the private key. </li></ul> <h5><span><a name="CustomServerAuthCert">Publishing a Certificate that Supports Server Authentication</a></span></h5> <ol> <li>On the issuing Certification Authority computer, open the Certificates console or Certsrv console. To open Certsrv, click <strong>Start</strong>. Type<strong> certsrv.msc</strong> and then click <strong> OK</strong>. </li><li>Ensure that Certification Authority is expanded as well as the name of the certification authority. </li><li>Right-click <strong>Certificate Templates</strong> and then click <strong>Manage</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/1581.ManageCertificates.JPG"> <img alt="Manage in Certificates Console" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/1581.ManageCertificates.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:336px; height:273px; vertical-align:middle"></a> </li><li>In the <strong>Certificate Templates Console</strong>, right-click <strong>Kerberos Authentication</strong> and then select <strong>Duplicate Template</strong>. You don't have to use the Kerberos template. You can create your own or use one of the existing templates that has Server Authentication as a purpose, such as <strong>Domain Controller Authentication</strong>, <strong>Domain Controller</strong>, <strong>Web Server</strong>, and <strong>Computer</strong>. Important: You should be planning on having <strong>only</strong> one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of <strong>Server Authentication</strong>. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the <a name="NTDScert">Active Directory Domain Services Certificate Storage</a>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/0702.DuplicateTemplate.JPG"> <img alt="Duplicate Template" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/0702.DuplicateTemplate.JPG" style="margin:2px; border:1px solid rgb(0,0,0)"></a> </li><li>On the <strong>Duplicate Template</strong> dialog box, leave the default selected <strong>Windows Server 2003 Enterprise</strong> selected and then click <strong>OK</strong>. </li><li>The <strong>Properties of New Template </strong>appear. Ensure that settings are as you want them to be for this certificate template. Pay close attention to ensure that the <strong>Template display name</strong> is set to an appropriate name along with the following settings: <ul> <li>Validity and Renewal periods are set according to your organization's security policy </li><li>Key lengths are appropriate </li><li>Select whether you want to place the certificate in Active Directory </li><li>Subject Name tab: DNS name and Service principal name (SPN) are selected </li><li>If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.<a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/2072.PrivateKeyExportable.JPG"><img alt="Allow private key to be exported" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/2072.PrivateKeyExportable.JPG" style="margin:2px; border:0px solid currentColor; width:384px; height:499px"></a> </li></ul> </li><li>Click <strong>OK</strong>. </li><li>Return to the Certificates or Certsrv console and in the details pane of <strong> Certificate Templates</strong>, right-click an open area of the console, click <strong> New</strong>, and then click <strong>Certificate Template to Issue</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/1513.NewCertTemplateToIssue.JPG"> <img alt="Certificate Template to Issue" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/1513.NewCertTemplateToIssue.JPG" style="margin:2px; border:1px solid rgb(0,0,0); vertical-align:middle"></a> </li><li> In the <strong>Enable Certificate Templates</strong> dialog box, select the name of the new template you created and then click <strong>OK</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/1881.LDAPoverSSLCertTemplate.JPG"> <img alt="Copy of Kerberos template named LDAPoverSSL" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/1881.LDAPoverSSLCertTemplate.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:550px; height:339px; vertical-align:middle"></a> </li></ol> <br> <h4><a name="ReqServerAuthCert">Requesting a Certificate for Server Authentication</a></h4> <p>To request a certificate from your LDAPSL server, do the following on each domain controller that requires LDAPS connections:</p> <ol> <li>Open the <strong>Certificates </strong>console. Click <strong>Start</strong>, type <strong>MMC</strong>, and then press ENTER. If prompted by User Account Control, ensure it displays the action you want and then click <strong>Yes</strong>. </li><li>In the MMC console that opens (typically Console1), click <strong>File </strong> and then click <strong>Add/Remove Snap-in</strong> </li><li>In <strong>Add or Remove Snap-ins</strong> under <strong>Available Snap-ins</strong>, click <strong>Certificates</strong>, and then click <strong>Add</strong>. </li><li>In <strong>Certificates snap-in</strong> select <strong>Computer account</strong> and then click <strong>Next</strong>. </li><li>In <strong>Select Computer</strong>, if you are managing the LDAP server requiring the certificate, select <strong>Local</strong>. Otherwise, select <strong>Another computer</strong> and click <strong>Browse </strong>to locate the LDAP server requiring the certificate. </li><li>Once you have the correct computer selected, click <strong>OK</strong> and then click <strong>Finish</strong>. </li><li>In <strong>Add or Remove Snap-ins</strong>, click <strong>OK</strong>. </li><li>In the console tree, expand <strong>Certificates (<computer>)</strong> </li><li>right click <strong>Certificates</strong>, click <strong>All Tasks</strong>, and then click <strong>Request New Certificate</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/7167.RequestNewCertificate.JPG"> <img alt="Request New Certificate" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/7167.RequestNewCertificate.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:550px; height:357px; vertical-align:middle"></a> </li><li>In <strong>Certificate Enrollment</strong>, click <strong>Next</strong>. </li><li>In the <strong>Select Certificate Enrollment Policy</strong>, typically you would leave the default of <strong>Active Directory Enrollment Policy</strong>. If you have a different policy that you should follow, then select that one and click <strong>Next</strong>. </li><li>Select a certificate that allows for server authentication, <strong>Kerberos</strong> works, but you can use a custom certificate as described in Publishing a Certificate that Supports Server Authentication. Click <strong>Enroll</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/0882.LDAPOverSSLCertSelection.JPG"> <img alt="Selecting a certificate that supports Server Authentication" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/0882.LDAPOverSSLCertSelection.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:550px; height:383px; vertical-align:middle"></a> </li><li>On the <strong>Certificate Enrollment </strong>dialog box, click <strong>Finish</strong>. </li><li>In the results pane double-click the certificate that you received to open the <strong>Certificate </strong>properties dialog box. </li><li>Click the <strong>Details </strong>tab, in the <strong>Field</strong> column, select<strong> Enhanced Key Usage</strong>. Confirm that <strong>Server Authentication (1.3.6.1.5.5.7.3.1)</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/6318.EnhancedKeyUsage.JPG"> <img width="398" height="493" alt="Certificate Enhanced Key Usage" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/6318.EnhancedKeyUsage.JPG" style="margin:2px; border:1px solid rgb(0,0,0)"></a> </li></ol> For other step-by-step examples requesting a certificate for server authentication and implementing LDAP over SSL (LDAPS), see the following articles:<br> <ul> <li><a title="Instructions on how to request a server authentication certificate in Windows Server 2003" href="http://technet.microsoft.com/en-us/library/cc740173%28WS.10%29.aspx" target="_blank">Request a computer certificate for server authentication - Windows Server 2003, 2003 R2 instructions</a> </li><li><a title="Enable LDAP over SSL with 3rd party CA" href="http://support.microsoft.com/kb/321051" target="_blank">How to enable LDAP over SSL with a third-party Certification Authority - Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2 updated instructions</a> </li><li><a title="Configuring LDAP over SSL on AD LDS" href="http://technet.microsoft.com/en-us/library/cc725767%28WS.10%29.aspx" target="_blank">Appendix A: Configuring LDAP over SSL Requirements for AD LDS - Windows Server 2008 and Windows Server 2008 R2 instructions</a> </li></ul> <h4><a name="EnableLDAPSClient">Enabling LDAPS for Client Authentication</a></h4> Enabling LDAPS on the client is not necessary to protect credentials passed from the client to the server when LDAPS is already enabled on the server. This just allows the client to actually authenticate itself to the server - an extra layer of protection to ensure that the client connecting as COMPUTER_X is actually COMPUTER_X and not some other computer trying to authenticate with COMPUTER_X credentials. The client must be using a certificate from a CA that the LDAP server trusts. Client certificates and AD DS accounts are mapped using altSecurityIdentities, which can be done through various methods. For more information on those methods, see <a title="Mapping users to certificates" href="http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx" target="_blank"> HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute</a>. Certificates are presented to the server during the Transport Layer Security (TLS) key exchange (described in paragraph 7.4 of <a title="RFC 2246" href="http://tools.ietf.org/html/rfc2246" target="_blank">RFC 2246</a>). To enable LDAPS authentication for the client, ensure the certificate is placed in the personal store for the user account.<br> <br> <h4><a name="AD_DS_Certificate_Storage">Active Directory Domain Services Certificate Storage</a></h4> When a certificate is selected from the local machine store (as in <a title="Enumerating Certificates" href="http://msdn.microsoft.com/en-us/library/aa376050%28v=vs.85%29.aspx" target="_blank"> CertEnumCertificatesInStore</a>) the first valid certificate that can be used for Server Authentication (OID: 1.3.6.1.5.5.7.3.1) is returned for use. In cases where customers have multiple certificates valid for Server Authentication in the LDAP server's (e.g. <a title="Active Directory Domain Services domain controller" href="http://technet.microsoft.com/en-us/library/cc770946%28WS.10%29.aspx"> AD DS domain controller</a>, <a title="Active Directory Lightweight Directory Service" href="http://technet.microsoft.com/en-us/library/cc754361%28WS.10%29.aspx"> AD LDS</a>, or <a title="Active Directory Application Mode" href="http://technet.microsoft.com/en-us/library/cc736765%28WS.10%29.aspx" target="_blank"> ADAM</a> server) local computer certificate store, may see that a different certificate than the one they want is used for LDAPS communications. The best resolution to such an issue is to remove all unnecessary certificates from the local computer certificate store and have only one certificate that is valid for server authentication. <br> <br> However, if there is a legitimate reason that two or more certificates and a customer using at least Windows Server 2008 LDAP servers, the Active Directory Domain Services (NTDS\Personal) certificate store can be used for LDAPS communications. <br> <br> <strong style="background-color:rgb(216,216,216)"> <span style="color:rgb(227,108,9); background-color:rgb(191,191,191)">Important</span></strong><span style="background-color:rgb(216,216,216)"> There are several significant details to know before you implement the use of the Active Directory Domain Services certificate store.</span><br style="background-color:rgb(216,216,216)"> <span style="background-color:rgb(216,216,216)"></span> <ol style="background-color:rgb(216,216,216)"> <li>Automatic certificate enrollment (auto-enrollment) cannot be utilized with certificates in the NTDS\Personal certificate store. </li><li>Current command line tools do not allow certificate management of the NTDS\Personal certificate store. </li><li>Certificates should be imported into the store, and not moved (using drag and drop) via Certificates console (MMC) </li><li>Each LDAP server will require its own certificate in order to use this option, but it is only necessary to use this option on a server that has multiple certificates with the purpose of Server Authentication in the local certificates store. The best solution is to have only one certificate in the computer's personal certificate </li></ol> <h4><a name="Exporting_and_Importing_the_LDAPS_Certificate">Exporting the LDAPS Certificate and Importing for use with AD DS</a></h4> The following steps will demonstrate how to export an LDAPS enabled certificate from a domain controller computer's local certificate store to the Active Directory Domain Services service certificate store (NTDS\Personal). You will have to perform this step for each domain controller that has multiple certificates with the enabled use of Server Authentication. These certificates will have to be manually renewed when they expire and only works starting with Windows Server 2008 domain controllers, as that was the first Windows Server operating system release in which the NTDS was separated out as its own service.<br> <ol> <li>Click <strong>Start</strong>, type <strong>mmc</strong> and then click <strong> OK</strong>. </li><li>Click <strong>File</strong> and then click <strong>Add/Remove Snap-in</strong>. </li><li>Click <strong>Certificates</strong> and then click <strong>Add</strong>. </li><li>In <strong>Certificates </strong>snap-in select <strong>Computer </strong>account and then click <strong>Next</strong>. </li><li>In <strong>Select Computer</strong>, if you are working at the LDAP server requiring the certificate, select <strong>Local</strong>. Otherwise, select <strong>Another computer</strong> and click <strong>Browse </strong>to locate the LDAP server requiring the certificate. </li><li>Once you have the correct computer selected, click <strong>OK </strong>and then click <strong>Finish</strong>.<br> In <strong>Add or Remove Snap-ins</strong>, click <strong>OK</strong>. </li><li>In the console tree, expand <strong>Certificates (<computer>)</strong> </li><li><span style="color:rgb(0,0,0)">In the certificates console of a computer that contains a certificate that can be used for Server Authentication, right-click the certificate, click <strong>All Tasks</strong>, and then click <strong>Export</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/0118.ExportingLDAPScertificate.JPG"> <img alt="Export Server Auth Certificate" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/0118.ExportingLDAPScertificate.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:550px; height:230px; vertical-align:middle"></a><br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>Certificate Export Wizard </strong> welcome screen, click <strong>Next</strong>.</span> </li><li><span style="color:rgb(0,0,0)">On the <strong>Export Private Key</strong> screen, select <strong>Yes, export the private key</strong> and then click <strong>Next</strong>. If you don't have the option to export the private key, then the certificate template did not allow the exporting of the private key (see <a title="Ensure template allows private key to be exported" href="#CustomServerAuthCert"> Publishing a Certificate that Supports Server Authentication</a>). <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/5488.ExportPrivateKey.JPG"> <img alt="Export private key" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/5488.ExportPrivateKey.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:370px; height:326px"></a><br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>Export File Format</strong> screen, you should select <strong>Export all extended properties</strong>. The other selections are optional. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/3817.FileExportFormat.JPG"> <img alt="Export all extended properties" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/3817.FileExportFormat.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:409px; height:371px; vertical-align:middle"></a></span> </li><li><span style="color:rgb(0,0,0)">On the Password screen, enter a password that you want to be used when the certificate is imported. You will have to type the password twice: once in the <strong>Password</strong> box and then again in the <strong>Type and confirm password (mandatory)</strong> box. Then, click <strong>Next</strong>.<br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>File to Export</strong> screen, enter a path, file name, and .pfx file extension in the <strong>File name</strong> box and then click <strong>Next</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/5141.FileToExport.JPG"> <img alt="File To Export" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/5141.FileToExport.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:324px; height:289px; vertical-align:middle"></a></span> </li><li><span style="color:rgb(0,0,0)">Confirm the settings on the completion screen and then click <strong>Finish</strong>. You should see a pop-up message indicating that the export was successful. Click <strong>OK</strong>.</span> </li><li><span style="color:rgb(0,0,0)"></span>Click <strong>File</strong> and then click <strong>Add/Remove Snap-in</strong>. </li><li>Click <strong>Certificates </strong>and then click <strong>Add</strong>. </li><li><span style="color:rgb(0,0,0)">Select <strong>Service account</strong> and then click <strong>Next</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/3678.ServiceAccount.JPG"> <img alt="Service Account" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/3678.ServiceAccount.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:198px; height:104px; vertical-align:middle"></a></span> </li><li><span style="color:rgb(0,0,0)">In the <strong>Select Computer</strong> dialog box, ensure that you target the appropriate computer. If you are running the Microsoft Management Console (MMC) and want to target the local computer, you can leave the default selection of <strong>Local computer</strong>. Otherwise, select<strong> Another computer</strong> and then use the <strong>Browse </strong>button to select the appropriate computer. Then click <strong> Next</strong>.</span> </li><li><span style="color:rgb(0,0,0)">Select <strong>Active Directory Domain Services</strong> and then click <strong>Finish</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/0601.Service_5F00_AD_5F00_DS.JPG"> <img alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/0601.Service_5F00_AD_5F00_DS.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:278px; height:125px; vertical-align:middle"></a><br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>Add or Remove Snap-ins</strong> dialog box click <strong>OK</strong>.</span> </li><li><span style="color:rgb(0,0,0)">Expand <strong>Certificates - Services (Active Directory Domain Services)</strong> and then click <strong>NTDS\Personal</strong>.<br> </span></li><li><span style="color:rgb(0,0,0)">Right-click <strong>NTDS\Personal</strong>, click <strong>All Tasks</strong>, and then click <strong>Import</strong>. <span style="color:rgb(0,0,0)"> <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/1055.ImportingLDAPScertificate.JPG"><img alt="Import Certificate" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/1055.ImportingLDAPScertificate.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:373px; height:210px; vertical-align:middle"></a></span><br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>Certificate Import Wizard</strong> welcome screen, click <strong>Next</strong>.</span> </li><li><span style="color:rgb(0,0,0)">On the <strong>File to Import</strong> screen, click the <strong>Browse</strong>, and then locate the certificate file that you exported previously.</span> </li><li><span style="color:rgb(0,0,0)">On the <strong>Open </strong>screen, ensure that <strong>Personal Information Exchange (*pfx,*.p12)</strong> is selected as the file type and then navigate the file system to locate the certificate you exported previously and then click that certificate. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/7522.ldapscert_5F00_selection.JPG"> <img alt="LDAPS certificate selection" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/7522.ldapscert_5F00_selection.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:321px; height:245px; vertical-align:middle"></a><br> </span></li><li><span style="color:rgb(0,0,0)">Click <strong>Open </strong>and then click <strong> Next</strong>.</span> </li><li><span style="color:rgb(0,0,0)">On the <strong>Password </strong>screen enter the password you set for the file and then click <strong>Next</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/8321.Password4LDAPS_5F00_Import.JPG"> <img width="287" height="260" alt="" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/8321.Password4LDAPS_5F00_Import.JPG" style="border:0px solid currentColor"></a><br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>Certificate Store</strong> page, ensure that <strong>Place all certificates in the following store</strong> is selected and reads <strong>Certificate store: NTDS\Personal</strong> and then click <strong>Next</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/2158.NTDS_5F00_Personal.JPG"> <img alt="Certificate Store" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/2158.NTDS_5F00_Personal.JPG" style="margin:2px 2px 3px; border:0px solid currentColor; width:340px; height:176px; vertical-align:middle"></a><br> </span></li><li><span style="color:rgb(0,0,0)">On the <strong>Certificate Import Wizard</strong> completion screen, click <strong>Finish</strong>. You should then see a message that the import was successful. Click <strong>OK</strong>.</span> </li><li>In the Navigation pane, under <strong>NTDS\Personal</strong>, click <strong>Certificates</strong> </li><li><span style="color:rgb(0,0,0)">In the details pane, right-click the certificate you imported and then click <strong>Open</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/2425.CheckImportedCert.JPG"> <img alt="LDAPS Certificate" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/2425.CheckImportedCert.JPG" style="margin:2px; border:0px solid currentColor; width:550px; height:263px; vertical-align:middle"></a><br> </span></li><li><span style="color:rgb(0,0,0)">Click <strong>Details </strong>and then click Enhanced Key Usage, you should see that <strong>Server Authentication (1.3.6.1.5.5.7.3.1) </strong>is one of the purposes of the certificate and then click <strong>OK</strong>. <a href="http://social.technet.microsoft.com/wiki/cfs-file.ashx/__key/communityserver-wikis-components-files/00-00-00-00-05/1665.ServerAuthenticationEnhancedKeyUsage.JPG"> <img alt="Server Authentication" src="http://social.technet.microsoft.com/wiki/resized-image.ashx/__size/550x0/__key/communityserver-wikis-components-files/00-00-00-00-05/1665.ServerAuthenticationEnhancedKeyUsage.JPG" style="margin:2px; border:1px solid rgb(0,0,0); width:360px; height:447px; vertical-align:middle"></a><br> </span></li></ol> <h4><a name="Verify">Verifying an LDAPS connection</a></h4> After a certificate is installed, follow these steps to verify that LDAPS is enabled:<br> <ol> <li>Start the Active Directory Administration Tool (Ldp.exe) <ul> <li>To use LDP.EXE on Windows Server 2003, see <a title="LDP in Windows Server 2003" href="http://technet.microsoft.com/en-us/library/cc772839%28WS.10%29.aspx" target="_blank"> LDAP Overview</a>. </li><li>To use LDP.EXE on Windows XP, you must download and install <a title="Windows XP SP2 Support Tools" href="http://www.microsoft.com/downloads/en/details.aspx?FamilyId=49AE8576-9BB9-4126-9761-BA8011FABF38" target="_blank"> Windows XP Service Pack 2 Support Tools</a>. </li><li>For Windows Vista, Windows 7, or non-domain controller Windows Server 2008, or Windows Server 2008 R2 computers, see <a title="RSAT" href="http://social.technet.microsoft.com/wiki/contents/articles/remote-server-administration-tools-rsat-for-windows-vista-windows-7-windows-server-2008-and-windows-server-2008-r2-dsforum2wiki.aspx" target="_blank"> Remote Server Administration Tools (RSAT) for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2</a> </li></ul> </li><li>On the <strong>Connection </strong>menu, click <strong>Connect</strong>. </li><li>Type the name of the LDAP server (e.g. domain controller or AD LDS/ADAM server) to which you want to connect. </li><li>Type <strong>636 </strong>as the port number. </li><li>Click <strong>OK</strong>. </li></ol> <h4><a name="Troubleshooting">Troubleshooting LDAP over SSL</a></h4> When you have issues with LDAPS, there are several different things that can be wrong. One of the best walkthrough documents regarding troubleshooting LDAPS is on the Ask DS Blog in which a Senior Escalation engineer walks through verification and troubleshooting: <a title="Verifying the certificate is valid for Server Authentication" href="http://blogs.technet.com/b/askds/archive/2008/03/13/troubleshooting-ldap-over-ssl.aspx" target="_blank"> Troubleshooting LDAP over SSL</a>. There is only one Event ID that is directly related to LDAP over SSL, which is Event 1220, expanded upon in the destination of the link in the list below. The rest of the links are related to LDAP signing. LDAP signing does not encrypt the communications traveling between the LDAP server and client. LDAP signing verifies the identity of the client attempting an LDAP bind and helps to mitigate the chance of replay and man-in-the middle attacks. For more information on LDAP signing, see <strong><a title="LDAP signing article on MSDN" href="http://msdn.microsoft.com/en-us/library/ee406098%28v=ws.10%29.aspx" target="_blank">LDAP Signing</a> </strong>and<strong> <a href="http://support.microsoft.com/kb/935834" target="_blank"> How to enable LDAP Signing in Windows Server 2008.</a></strong><br> <ul> <li><a title="Event ID 1220 LDAPS" href="http://social.technet.microsoft.com/wiki/contents/articles/event-id-1220-ldap-over-ssl-ldaps.aspx" target="_blank">Event ID 1220 - LDAP over SSL</a> </li><li><a title="Event ID 2886 LDAP signing" href="http://technet.microsoft.com/en-us/library/dd941829%28WS.10%29.aspx" target="_blank">Event ID 2886 — LDAP signing</a>: is logged one each time the domain controller is started, if you do not have signing required enabled on your domain controller. </li><li><a title="Event ID 2887 LDAP signing" href="http://technet.microsoft.com/en-us/library/dd941856%28WS.10%29.aspx" target="_blank">Event ID 2887 -</a> If signing required is not enabled, this event keeps a count of how many unsigned binds occurred in the previous 24 hours. The event is logged every 24 hours. </li><li><a title="LDAP signing" href="http://technet.microsoft.com/en-us/library/dd941863%28WS.10%29.aspx" target="_blank">Event ID 2888 -</a> If signing required is enabled, then this even keeps a count of how many unsigned LDAP binds occurred in the previous 24 hours. Since LDAP signing is required, the binds would be rejected. This is a notice to administrators to investigate the client computers that are trying to bind without signing. </li><li><a title="LDAP Signing Event ID 2889" href="http://technet.microsoft.com/en-us/library/dd941849%28WS.10%29.aspx" target="_blank">Event ID 2889-</a> Administrators can enable this event to to help identify client computers that are attempting to bind without signing. This event is logged with the IP address and the bind identity of the client each time an unsigned bind is performed or attempted. </li></ul> <h4><a name="Info">Additional Information</a></h4> <ul> <li><a title="Enable LDAP over SSL" href="http://www.christowles.com/2010/11/enable-ldap-over-ssl-ldaps-on-windows.html" target="_blank">Enable LDAP over SSL (LDAPS) on Windows 2008 Active Directory Domain</a> </li><li><a title="Mapping user certificates altSecurityIdentities" href="http://blogs.msdn.com/b/spatdsg/archive/2010/06/18/howto-map-a-user-to-a-certificate-via-all-the-methods-available-in-the-altsecurityidentities-attribute.aspx">HowTo: Map a user to a certificate via ll the methods available in the altSecurityIdentities attribute</a> </li><li><a title="WebShere to Active Directory SSL" href="http://publib.boulder.ibm.com/infocenter/wpdoc/v510/index.jsp?topic=/com.ibm.wp.ent.doc/wpf/cfg_ldap_ssl.html" target="_blank">WebSphere to Active Directory over SSL</a> </li><li><a title="KB article Enable LDAPS with 3rd party certificate" href="http://support.microsoft.com/kb/321051" target="_blank">How to enable LDAP over SSL with a third-party certification authority</a> </li><li><a title="ISAServer.org article on installing Enterprise Root CA" href="http://www.isaserver.org/img/upl/vpnkitbeta2/installenterpriseca.htm" target="_blank">Installing and configuring an Enterprise Root CA on Windows Server 2003</a> </li><li><a title="Windows Server 2003 Certificate Templates" href="http://technet.microsoft.com/en-us/library/cc755996%28WS.10%29.aspx" target="_blank">Implementing and Administering Certificate Templates in Windows Server 2003</a> </li><li><a title="Windows Server 2008 Certificate Templates" href="http://technet.microsoft.com/en-us/library/cc731256%28WS.10%29.aspx" target="_blank">Implementing and Administering Certificate Templates</a> </li><li><a title="Active Directory product team blog" href="http://blogs.dirteam.com/blogs/paulbergson/archive/2010/09/28/windows-7-2008-kerberos-default-encryption-and-windows-2003-2000.aspx" target="_blank">Windows 7/2008 Kerberos Default Encryption and Windows 2003/2000</a> </li><li><a title="Blog article explaining how to install SSL certificate on a DC" href="http://www.richardhyland.com/diary/2009/05/12/installing-a-ssl-certificate-on-your-domain-controller/" target="_blank">Install a SSL certificate on your domain controller</a> </li><li><a title="LDAP over SSL on AD LDS" href="http://technet.microsoft.com/en-us/library/cc725767%28WS.10%29.aspx" target="_blank">Appendix A: Configuring LDAP over SSL Requirements for AD LDS</a> </li><li><a title="JSS with LDAPS Active Directory" href="http://www.jamfsoftware.com/kb/article.php?id=194" target="_blank">Configuring the JSS to Use LDAP Over SSL When Authenticating with Active Directory</a> </li><li><a title="Expired LDAP SSL requires restart" href="http://social.technet.microsoft.com/wiki/contents/articles/windows-server-2003-domain-controller-using-ldap-over-ssl-with-expired-certificate-requires-restart.aspx" target="_blank">Windows Server 2003 domain controller using LDAP over SSL with expired certificate requires restart</a> </li><li><a title="Subject Alternative Name" href="http://support.microsoft.com/kb/931351" target="_blank">How to add a Subject Alternative Name to a secure LDAP certificate</a> </li><li><a title="Troubleshooting PKI" href="http://social.technet.microsoft.com/wiki/contents/articles/troubleshooting-pki-problems-on-windows.aspx" target="_blank">Troubleshooting PKI Problems on Windows</a> </li></ul> </body> </html>
Comment
Tags
Please add 4 and 4 and type the answer here: