Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers.

Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers

By default Microsoft active directory servers will offer LDAP connections over unencrypted connections (boo!).

The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the "self-signed" portion of this guide can be swapped out with a real vendor purchased certificate if required.

Steps have been tested successfully with Windows Server 2012R2, but should work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

Create root certificate

Using OpenSSL, create new private key and root certificate. Answer country/state/org questions as suitable:

$ openssl genrsa -des3 -out ca.key 4096
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt

You should now have a resulting ca.key and ca.crt - hold onto these.

Import root certificate into trusted store of domain controller

  • From the active directory server, open Manage computer certificates.
  • Add the generated ca.crt to the certificate path Trusted Root Certification Authorities\Certificates.
  • Done.

Create client certificate

We will now create a client certificate to be used for LDAPS, signed against our generated root certificate.

From the active directory server:

  • Create a new request.inf definition with the following contents - replacing ACTIVE_DIRECTORY_FQDN with the qualified domain name of your active directory server:

     [Version]
     Signature="$Windows NT$"
    
     [NewRequest]
     Subject = "CN=ACTIVE_DIRECTORY_FQDN"
     KeySpec = 1
     KeyLength = 1024
     Exportable = TRUE
     MachineKeySet = TRUE
     SMIME = FALSE
     PrivateKeyArchive = FALSE
     UserProtected = FALSE
     UseExistingKeySet = FALSE
     ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
     ProviderType = 12
     RequestType = PKCS10
     KeyUsage = 0xa0
    
     [EnhancedKeyUsageExtension]
     OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication
    
  • Run the following to create a new client certificate request of client.csr (note: it's critical this is run from the active directory server to ensure a private key -> certificate association):

     C:\> certreq -new request.inf client.csr

Back to our OpenSSL system:

  • Create v3ext.txt containing the following:

     keyUsage=digitalSignature,keyEncipherment
     extendedKeyUsage=serverAuth
     subjectKeyIdentifier=hash
    
  • Create a certificate client.crt from certificate request client.csr and root certificate (with private key):

     $ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -set_serial 01 -out client.crt
  • Verify generated certificate:

     $ openssl x509 -in client.crt -text
  • Ensure the following X509v3 extensions are all present:

    • X509v3 Key Usage: Digital Signature, Key Encipherment
    • X509v3 Extended Key Usage: TLS Web Server Authentication
    • X509v3 Subject Key Identifier

Accept and import certificate

  • From the active directory server with client.crt present, run the following:

     C:\> certreq -accept client.crt
  • Open Manage computer certificates, the new certificate should now be present under Personal\Certificates. Ensure that:

    • Certificate has a private key association.
    • The "Intended Purposes" is defined as "Server Authentication".
    • Certificate name is the FQDN of the active directory server.

Reload active directory SSL certificate

Alternatively you can just reboot the server, but this method will instruct the active directory server to simply reload a suitable SSL certificate and if found, enable LDAPS:

  • Create ldap-renewservercert.txt containing the following:

     dn:
     changetype: modify
     add: renewServerCertificate
     renewServerCertificate: 1
     -
    
  • Run the following command:

     C:\> ldifde -i -f ldap-renewservercert.txt

Test LDAPS using ldp.exe utility

  • From another domain controller, firstly install our generated root certificate ca.crt to the certificate path Trusted Root Certification Authorities\Certificates.

  • Open utility:

     C:\> ldp.exe
  • From Connection, select Connect.

  • Enter name of target domain controller.

  • Enter 636 as port number (this is the LDAPS port).

  • Click OK to confirm the connection works.

  • You're all done!

Reference

@np422

This comment has been minimized.

Copy link

commented Jan 28, 2017

Great guide, thank you for making this public!

@magnetikonline

This comment has been minimized.

Copy link
Owner Author

commented Jan 29, 2017

Glad you liked it @np422 👍

@nrauso

This comment has been minimized.

Copy link

commented Feb 21, 2017

Great shot! Very helpful, thx!

@Hg-203

This comment has been minimized.

Copy link

commented Jun 15, 2017

Thanks that was very helpful. The only issue I ran into was the root cert needs to be added to the "Local Machine" not "Current User"

@diegograssato

This comment has been minimized.

Copy link

commented Oct 7, 2017

@magnetikonline

This comment has been minimized.

Copy link
Owner Author

commented Oct 9, 2017

@diegograssato already referenced in the README 👍

@brucenelson6655

This comment has been minimized.

Copy link

commented Nov 23, 2017

Worked like a charm !

@dabenavidesd

This comment has been minimized.

Copy link

commented Dec 12, 2017

Hello all; I have been trying to follow all steps but due unsuffcient permissions (I guess) I got:
C:\Users\AAA\Downloads\certif4>ldifde -i -f ldap-renewservercert.txt
Connecting to "XXX.yyy.zzz"
Logging in as current user using SSPI
Importing directory from file "ldap-renewservercert.txt"
Loading entries.
Add error on entry starting on line 1: Inappropriate Authentication
The server side error is: 0x8009030e No credentials are available in the securit
y package
The extended server error is:
8009030E: SecErr: DSID-0C02042A, problem 4001 (INAPPROPRIATE_AUTH), data 0

0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.

Please help getting it right

@dabenavidesd

This comment has been minimized.

Copy link

commented Dec 13, 2017

Hello: it turns out; as I made a first attempt (wrongly, becasue I used just domain name instead of FQDN), and that certificate wrongly issued was on Service Account Store, so I deleted and export it from Computer Account Store the correct one, and got it to work:

C:\Users\AAA\Downloads\certif5>ldifde -i -f ldap-renewservercert.txt
Connecting to "XXX.yyy.zzz"
Logging in as current user using SSPI
Importing directory from file "ldap-renewservercert.txt"
Loading entries..
1 entry modified successfully.

Followed this instructions to export and import in Service Account from:
https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx#Exporting_the_LDAPS_Certificate_and_Importing_for_use_with_AD_DS

The command has completed successfully

Thanks very much for your very short and clear tutorial

@ranajoy97

This comment has been minimized.

Copy link

commented Mar 12, 2018

Worked like a charm. Thanks @dabenavidesd for advise

@datatim

This comment has been minimized.

Copy link

commented Jul 11, 2018

Create a new request.inf definition with the following contents - replacing ACTIVE_DIRECTORY_FQDN with the qualified domain name of your active directory server

Could you please clarify this sentence? I just made the same mistake that @dabenavidesd made, by using the Active Directory's FQDN, not the FQDN of the server that I was installing the certificate.

Connecting to "master.domain.bigcorporation.com"
Logging in as current user using SSPI
Importing directory from file "ldap-renewservercert.txt"
Loading entries.
Add error on entry starting on line 1: Inappropriate Authentication
The server side error is: 0x8009030e No credentials are available in the security package
The extended server error is:
8009030E: SecErr: DSID-0C02041A, problem 4001 (INAPPROPRIATE_AUTH), data 0

Creating a new certificate with the correct name (master.domain.bigcorporation.com, not domain.bigcorporation.com) resolved this issue.

@shenmue232

This comment has been minimized.

Copy link

commented Jul 19, 2018

I'm having the same problem, the file is UTF-8, all it contains is the following.

dn:
changetype: modify
add: renewServerCertificate
renewServerCertificate: 1

Loading entries.
Add error on line 1: Inappropriate Authentication
0 entries modified successfully.
An error has occurred in the program
No log files were written. In order to generate a log file, please
specify the log file path via the -j option.

Trying this on Windows Server 2003, any ideas?

@shenmue232

This comment has been minimized.

Copy link

commented Jul 19, 2018

Fixed it, I forgot to do the following.

Accept the issued certificate. To do this, type the following command at the command prompt, and then press ENTER:
certreq -accept certnew.cer

@CLover01

This comment has been minimized.

Copy link

commented Sep 13, 2018

Great guide! In windows, there may have error message with command:
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
unable to load config info from /usr/local/ssl/openssl.cnf

We can solve the error by specified parameter -config C:\xxxx\openssl.cnf like bellow:
$ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt -config C:\xxx\openssl.cnf

@neontuna

This comment has been minimized.

Copy link

commented Oct 23, 2018

Just wanted to thank you for this, saved a lot of searching around all over the place and not having to reboot the DC is a plus 👍

@methodbox

This comment has been minimized.

Copy link

commented Jan 15, 2019

FYI, openssl isn't installed in Window Server by default. Nothing about that is included here. Might want to mention steps on installing it. As of right now, it gives a DLL error when installing from binaries provided from the OpenSSL page which requires additional steps to install this DLL, as well.

@magnetikonline

This comment has been minimized.

Copy link
Owner Author

commented Jan 15, 2019

Hey @methodbox in the opening paragraph.

Steps have been tested successfully with Windows Server 2012R2, but should work with Windows Server 2008 without modification. Will require both a system with OpenSSL (ideally Linux/OSX) and (obviously) a Windows Active Directory server.

@nigeldao007

This comment has been minimized.

Copy link

commented Jan 30, 2019

Kudos!

@TheMattSchiller

This comment has been minimized.

Copy link

commented May 30, 2019

You the real MVP

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.