Skip to main content

How to configure LDAPS, LDAP over SSL, using CA Certificate Service on Domain Controller in Windows Server 2016


This post is to provide an instruction on how to set up LDAPS (LDAP over SSL) on Domain Controller using single-tier CA hierachy.

Reasons for Enabling LDAPS

By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring Jump device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network unencrypted. This could quickly lead to the compromise of credentials.

 Reasons for enabling Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) / Transport Layer Security (TLS) also known as LDAPS include:
  • Some applications authenticate with Active Directory Domain Services (AD DS) through simple BIND. As simple BIND exposes the users’ credentials in clear text, use of Kerberos is preferred. If simple BIND is necessary, using SSL/TLS to encrypt the authentication session is strongly recommended.
  • Use of proxy binding or password change over LDAP, which requires LDAPS. (e.g. Bind to an AD LDS Instance Through a Proxy Object Jump )
  • Some applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) require encrypted communications. To encrypt LDAP communications in a Windows network, you can enable LDAP over SSL (LDAPS).

Prerequisite

Active Directory Service and AD LDS has been installed prior to this installation.

How to set up Active Directory Domain Service role in Windows server 2016
Setting up AD LDS on Windows Server 2016

HOW-TO


Step 1. Add Active Directory Certificate Service on Domain Controller.




Choose Certificate Authority.





Step 2. Configure Active Directory Certificate Services.














Check the certificate on Certificae Authority



Step3. Verify LDAPS connection

Open ldp.exe.






Done.


Reference

https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Labels:

Comments

Post a Comment

Popular posts from this blog

Setting up AD LDS on Windows Server 2016

What Is Active Directory Lightweight Directory Services? Microsoft Active Directory Lightweight Directory Services (AD LDS) is an independent mode of Active Directory that provides dedicated directory services for applications. AD LDS is a mode of Active Directory that provides directory services for applications. AD LDS provides dedicated directory services for applications. It provides a data store and services for accessing the data store. It uses standard application programming interfaces (APIs) for accessing the application data. The APIs include those of Active Directory, Active Directory Service Interfaces, Lightweight Data Access Protocol, and System.DirectoryServices. AD LDS operates independently of Active Directory and independently of Active Directory domains or forests. It operates either as a standalone data store, or it operates with replication. Its independence enables local control and autonomy of directory services for specific applications. It al...
Post a Comment
Read more

How to set up Active Directory Domain Service role in Windows server 2016

This post is showing how to set up Active Directory Domain Service role in Windows Server 2016. Consideration Change server name to meaningful name if not changed yet. How to 1. Add role or feature on the top menu "Manage".   2. Next with role-based or feature-based installation. 3. Select Active Directory Domain Services. 4. Add required features for Active Directory Domain Services. 5. Keep going with default until installing. 6. Once it is successfuly installed, then you need to promote AD server.  7. Add new domain. 8. Type in password for Directory Service Restore Mode and click Next. 10. Proceed with default to installation step. 11. Installation. 12. Once it's all configured, server will reboot. 13. check if you can see ad server on your server now. Done!!.
Post a Comment
Read more