The standard protocol for reading data from and writing data to Active Directory (AD) domain controllers (DCs) is LDAP. AD LDAP traffic is unsecured by
default, which makes it possible to use network-monitoring software to view the LDAP traffic between clients and DCs. This security problem also
applies to the LDAP subprotocols, such as LDAP bind, that applications, services, or users use to transport credentials and authenticate against a
Windows DC.
Organizational security policies typically require that all client/server communication is encrypted. In addition, applications that integrate with AD
might require encrypted LDAP communication.
To make LDAP traffic secure, you can use the Secure Sockets Layer/Transport Layer Security (SSL/TLS) protocols; this combination is referred to as LDAP
over SSL -- or LDAPS. To ensure that no one else can read the traffic, SSL/TLS establishes an encrypted tunnel between an LDAP client and a Windows DC.
In this article, I explain how to set up LDAPS on the DCs in your Windows Server 2008 AD infrastructure.
LDAPS Server Certificate Requirements
LDAPS requires a properly formatted X.509 certificate on all your Windows DCs. This certificate lets a DC's LDAP service listen for and automatically
accept SSL connections for both LDAP and Global Catalog (GC) traffic. The server certificate is used for authenticating the DC to the client during the
LDAPS setup and for enabling the SSL communication tunnel between the client and the server after setup. As an option, you can use LDAPS for client
authentication -- but doing so requires that you also install a client authentication certificate on each of your clients.
In the next section, I explain in detail how you can obtain an LDAPS server certificate for your DCs -- but first, let's look at what rules this
certificate should adhere to.
The LDAPS certificate and its associated private key must be stored in the DC's Personal certificate store (also referred to as the MY certificate store). To view the content of your DC's certificate store, follow these steps:
1. On the DC, click Start, type mmc, and click OK.
2. Click the File menu option, then click Add/Remove Snap-in.
3. Click Certificates, Add.
4. In the Microsoft Management Console (MMC) Certificates snap-in dialog box, select Computer account and click Next.
5. In Select Computer, select Local computer and click Finish.
6. In Add or Remove Snap-ins, click OK.
7. In the console tree, expand Certificates (Local Computer), then the Personal container, and finally the Certificates container.
8. In the right-hand pane of the Certificates snap-in you'll see a list of all the certificates that are stored in your DC's Personal certificate store, as Figure 1 shows.
Figure 1: Certificates in a DC's Personal certificate store
The LDAPS certificate must meet the following X.509 certificate extension requirements:
-
The Extended Key Usage certificate extension must include the Server Authentication Object Identifier (OID): 1.3.6.1.5.5.7.3.1.
-
The AD Fully Qualified Domain Name (FQDN) of the DC (e.g., mydomaincontroller.company.net) must appear in either the Common Name (CN) of the
Subject field certificate extension or in the DNS entry of the Subject Alternative Name (SAN) certificate extension.
You can easily check the content of a certificate's X.509 extensions from the Windows Certificate Viewer, which you can also access from the
Certificates snap-in. Double-click a certificate in the right-hand pane of the Certificates snap-in, then click the Details tab, as Figure 2 shows.
Figure 2: Certificate extensions in the Details tab of the Certificate Viewer
As for any certificate, the LDAPS certificate must have been issued by a Certification Authority (CA) that the DC and the LDAPS clients trust. Trust is
established by configuring the clients and the server to trust the issuing CA's certificate (in a one-tier CA setup) or the certificate of the root CA
to which the issuing CA of the LDAPS certificate chains (in a multi-tier CA setup).
You can find a list of all trusted CA certificates in the Trusted Root Certification Authorities container of a machine's certificate store. This store
contains the certificates of CAs that you or your domain administrator consider trustworthy and that Windows can use as a trust anchor for validating
other certificates. The CA certificates of CAs installed on machines that are part of your AD infrastructure are automatically added to client
machines' certificate stores through the Group Policy Object (GPO) update mechanism. If the CA certificate of the CA that issued the LDAPS certificate
isn't present in the Trusted Root CA Certification Authorities container, you can manually import it using the Import option that's available from this
container's context menu.