Difference between revisions of "Setup AD to respond to LDAP queries over LDAPS protocol"
(Created page with "<yambe:breadcrumb>Windows_Server_2008_Enterprise_R2|Windows Server 2008 Enterprise R2</yambe:breadcrumb> =Setup AD to respond to LDAP queries over LDAPS protocol= ==Create se...") |
m |
||
(2 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
[[Main Page|Home]] > [[Windows]] > [[Windows Server 2008 Enterprise R2]] > [[Setup AD to respond to LDAP queries over LDAPS protocol]] | |||
==Create self-signed certificate authority for AD certificate== | ==Create self-signed certificate authority for AD certificate== | ||
Line 20: | Line 19: | ||
#On "Confirmation" window click "Install" | #On "Confirmation" window click "Install" | ||
#Close window of "Successful installation message | #Close window of "Successful installation message | ||
==Create a new certificate template, create AD certificate, import certificate in AD== | |||
To create a new certificate template for AD, then to create AD certificate and to finally import created certificate in AD use following steps: | |||
#Run "certsrv.msc" from start menu run option | |||
#Expand "CA" tree-node and click on "Certificate Template" node | |||
#Right click on "Certificate Template" and choose manage | |||
#Right click on "Kerebros authentication" and choose "Duplicate template" | |||
##Choose "Windows Server 2008 enterprise" from pop-up and click ok | |||
##In General Change template display name to "AD certificate" | |||
##Set validity period to something large (eg 5 years) | |||
##In "Subject Name" tab ensure that DNS name, User principal name (UPN) and service principal name (SPN) are selected | |||
##In "Request handling" select allow private key to be exported. '''This is very important'''. | |||
##Click "Apply" and then click "ok" | |||
#Close certificate templates console to return to "certsrv.msc" window | |||
#Again right click on "Certificate Template" node. This time choose "New" -> "Certificate template to issue" | |||
##Select "AD certificate" and click ok | |||
#Close "certsrv.msc" window | |||
#Start "mmc" console from start-menu using run command option | |||
#In MMC go to "File" -> "Add/Remove" Snap-in | |||
##Click on "Certificates" in left panel and click "Add" button between two panes | |||
###Select "computer account" radio button among various choices and click next | |||
###In next window leave "Local computer" selected and click finish | |||
##Click ok to close "Add/Remove snap-in" popup | |||
#Go to "Certificates (Local Computer)" -> Personal -> Certificates | |||
#Right click on right pane and from All tasks choose "Request new certificate" | |||
#Leave "Active Directory Enrollment policy" selected and click next | |||
#Select "AD certificate" and click "Enrol" | |||
#Click finish on successful message | |||
#Select created certificate with Intended Purpose starting with "KDC authentication" and "Certificate type" AD certificate | |||
#Right click -> "All tasks" -> "Export" | |||
##Click "Next" on Certificate export wizard first screen | |||
##Toggle radio button and choose "Yes, export the private key" option | |||
##In "PKCS-12" select "Export all extended properties" and click "next" | |||
##Choose appropriate password and click next. '''Remember this well. This password would be needed for importing certificate in next few steps.''' | |||
##Export certificate to desktop with name ad.pfx | |||
##Click "finish" to complete certificate export wizard | |||
#Click "Ok" on export was successful message | |||
#From "mmc" console again go to "File" -> "Add / Remove Snap-in" option | |||
##Select "Certificates" and click "Add" between panes | |||
##This time instead of "Computer Account" choose "Service Account" and click next | |||
##Choose "Local computer" radio button on screen and click next | |||
##Select "Active Directory Certificate Services" and click finish | |||
##Click "ok" to close snap-in manager. | |||
#Go to "Active | |||
#Go to "Certificates - Service (Active Directory Ceriticate Services)" -> CertSvc\Personal | |||
#Right click on right pane and from all tasks choose "import" | |||
#Click "next" on "Certificate import wizard" | |||
#Go to desktop for selecting certificate. Change file type to all files "*.*" and select ad.pfx file | |||
#Click "next" on select file window | |||
#Type correct password that was used while exporting certificate and click next. Leave include all extended properties selected. | |||
#In place all certificates in the following store leave Certsvc\personal selected and click next | |||
#Click finish to complete import wizard | |||
#Click ok on successful import message | |||
#The AD should automatically start listening on LDAPS using new certificate | |||
Most of this learned from http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx | |||
==Test connection to AD over LDAPS from Linux== | |||
To test connection to AD over LDAPS from Linux use: | |||
#Edit /etc/openldap/ldap.conf and add "TLS_REQCERT never" line in the file | |||
#Try something similar to: | |||
<pre> | |||
ldapsearch -x -H ldaps://<AD-IP>/ -b '<Base-DN>' -D 'administrator@<Domain-name>' -W | |||
</pre> | |||
and type administrator password to connect. Example command with filled values is: | |||
<pre> | |||
ldapsearch -x -H ldaps://192.168.2.15/ -b 'dc=example1,dc=com' -D 'administrator@example1.com' -W | |||
</pre> | |||
In place of "-W" one can also use "-w'<password>'" where there is no gap between -w and password. Also complex password can be enclosed in single quotes as suggested. | |||
[[Main Page|Home]] > [[Windows]] > [[Windows Server 2008 Enterprise R2]] > [[Setup AD to respond to LDAP queries over LDAPS protocol]] |
Latest revision as of 08:26, 6 April 2022
Home > Windows > Windows Server 2008 Enterprise R2 > Setup AD to respond to LDAP queries over LDAPS protocol
Create self-signed certificate authority for AD certificate
To create a self-signed certificate for AD use following steps:
- Go to Start Menu -> Administrative Tools -> Server manager
- From Server Manager Roles node choose "Add Roles" link from the right side pane.
- On "Before You Begin" click next
- Select "Active Directory Certification Service" and click next
- On "Introduction to Active Directory Certificate Services" click next
- Leave "Certificate authority" selected and click "next"
- In Setup Type leave "Enterprise" selected and click "next"
- In CA type leave "Root CA" selected and click next
- Leave "Create a new private key" selected and click next
- Leave defaults as it is on "Configure Cryptography for CA" and click next
- Choose appropriate CN and DN for server
- Choose appropriate validity period and click next
- In "Configure certificate database" leave values as it is and click next
- On "Confirmation" window click "Install"
- Close window of "Successful installation message
Create a new certificate template, create AD certificate, import certificate in AD
To create a new certificate template for AD, then to create AD certificate and to finally import created certificate in AD use following steps:
- Run "certsrv.msc" from start menu run option
- Expand "CA" tree-node and click on "Certificate Template" node
- Right click on "Certificate Template" and choose manage
- Right click on "Kerebros authentication" and choose "Duplicate template"
- Choose "Windows Server 2008 enterprise" from pop-up and click ok
- In General Change template display name to "AD certificate"
- Set validity period to something large (eg 5 years)
- In "Subject Name" tab ensure that DNS name, User principal name (UPN) and service principal name (SPN) are selected
- In "Request handling" select allow private key to be exported. This is very important.
- Click "Apply" and then click "ok"
- Close certificate templates console to return to "certsrv.msc" window
- Again right click on "Certificate Template" node. This time choose "New" -> "Certificate template to issue"
- Select "AD certificate" and click ok
- Close "certsrv.msc" window
- Start "mmc" console from start-menu using run command option
- In MMC go to "File" -> "Add/Remove" Snap-in
- Click on "Certificates" in left panel and click "Add" button between two panes
- Select "computer account" radio button among various choices and click next
- In next window leave "Local computer" selected and click finish
- Click ok to close "Add/Remove snap-in" popup
- Click on "Certificates" in left panel and click "Add" button between two panes
- Go to "Certificates (Local Computer)" -> Personal -> Certificates
- Right click on right pane and from All tasks choose "Request new certificate"
- Leave "Active Directory Enrollment policy" selected and click next
- Select "AD certificate" and click "Enrol"
- Click finish on successful message
- Select created certificate with Intended Purpose starting with "KDC authentication" and "Certificate type" AD certificate
- Right click -> "All tasks" -> "Export"
- Click "Next" on Certificate export wizard first screen
- Toggle radio button and choose "Yes, export the private key" option
- In "PKCS-12" select "Export all extended properties" and click "next"
- Choose appropriate password and click next. Remember this well. This password would be needed for importing certificate in next few steps.
- Export certificate to desktop with name ad.pfx
- Click "finish" to complete certificate export wizard
- Click "Ok" on export was successful message
- From "mmc" console again go to "File" -> "Add / Remove Snap-in" option
- Select "Certificates" and click "Add" between panes
- This time instead of "Computer Account" choose "Service Account" and click next
- Choose "Local computer" radio button on screen and click next
- Select "Active Directory Certificate Services" and click finish
- Click "ok" to close snap-in manager.
- Go to "Active
- Go to "Certificates - Service (Active Directory Ceriticate Services)" -> CertSvc\Personal
- Right click on right pane and from all tasks choose "import"
- Click "next" on "Certificate import wizard"
- Go to desktop for selecting certificate. Change file type to all files "*.*" and select ad.pfx file
- Click "next" on select file window
- Type correct password that was used while exporting certificate and click next. Leave include all extended properties selected.
- In place all certificates in the following store leave Certsvc\personal selected and click next
- Click finish to complete import wizard
- Click ok on successful import message
- The AD should automatically start listening on LDAPS using new certificate
Most of this learned from http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx
Test connection to AD over LDAPS from Linux
To test connection to AD over LDAPS from Linux use:
- Edit /etc/openldap/ldap.conf and add "TLS_REQCERT never" line in the file
- Try something similar to:
ldapsearch -x -H ldaps://<AD-IP>/ -b '<Base-DN>' -D 'administrator@<Domain-name>' -W
and type administrator password to connect. Example command with filled values is:
ldapsearch -x -H ldaps://192.168.2.15/ -b 'dc=example1,dc=com' -D 'administrator@example1.com' -W
In place of "-W" one can also use "-w'<password>'" where there is no gap between -w and password. Also complex password can be enclosed in single quotes as suggested.
Home > Windows > Windows Server 2008 Enterprise R2 > Setup AD to respond to LDAP queries over LDAPS protocol