Ssl – Using SSL to Encrypt LDAP Queries – Windows 2008 R2

ldapqueryssl

I'm trying to secure our domain so when LDAP queries are made from another computer they are encrypted with SSL.

I followed this guide even thought I am using Windows 2008 R2.

I added the Active Directory Certificate Services role with mostly default settings, made sure it's Enterprise Root CA (as the guide suggests)

I login to a Windows 7 computer (all firewalls disabled), and using the Java-based app JXplorer (is there anything better?) doing some LDAP querie (or trying, at least), the problem is I can't seem to connect to the server using anything but GSSAPI (don't even know what that is), I tried other options but doesn't connect.

The guide doesn't mention anything else other than installing CA on the server, I'm wondering if there are any other configurations that need to be performed in order to force SSL for LDAP queries.

Many thanks.

enter image description here

Best Answer

You never actually say you're running Active Directory on 2008 R2, but I'll assume that's the case.

First off, you do not need to install Certificate Services on your domain controller or make it a Certification Authority. Your DC just needs a single "valid" SSL certificate assigned to it that your LDAP client "trusts".

There are a variety of ways to get a certificate for your DC. Installing a Certification Authority (like AD Certificate Services) and using it to generate your "domain controller" certificate is one way, but not the only way. And it is generally considered unwise to make your domain controller the certification authority. Put it on a dedicated machine, instead.

You can also get a certificate from a third party CA just like you would for a web server. It's a little more complicated because a domain controller certificate has different attributes it needs in order to be "valid". Here's a link from Microsoft on the subject: How to enable LDAP over SSL with a third-party certification authority

Requirements for an LDAPS certificate

To enable LDAPS, you must install a certificate that meets the following requirements:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
    • The Common Name (CN) in the Subject field.
    • DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.

Once you have your certificate installed and working on the DC, you should be able to point your LDAP client to port 636 or 3269 (for GC connection) and be good to go.

Related Topic