Enabling LDAP over SSL with Windows Server 2008 R2 SP1

The following takes you through setting up LDAP over SSL from the server side of a Windows 2008 R2 SP1 Domain Controller.

Note: It just happens to be the minimum required to force a NetApp CDOT 8.2.1 SVM to have to have LDAP over SSL properly configured before it can join the Active Directory Domain.

My Lab Setup

My lab setup is simply a single Windows Server 2008 R2 SP1 Domain Controller - called MSDMC01 - in the domain LAB.PRIV. And we start with a pretty much out of the box Domain Controller setup.

Step 1 of 3: Enablement in the Default Domain Controllers Policy

Start > Administrative Tools > Group Policy Management
Find the ‘Default Domain Controllers Policy’, right-click and click Edit...

Image 1: Group Policy Management
In the ‘Group Policy Management Editor: Default Domain Controllers Policy’
Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > Security Options
Find the policy ‘Domain controller: LDAP server signing requirements’, right-click and click Properties

Image 2: Group Policy Management Editor
Domain controller: LDAP server signing requirements
Ensure that the ‘Define this policy setting’ box is ticked
Change the drop-down menu to ‘Require signing
Click OK
Click Yes to the ‘Confirm Settings Change’ box

Image 3: Domain controller - LDAP server signing requirements Properties
Close the ‘Group Policy Management Editor’ window.
Close the ‘Group Policy Management’ window.

Then, from the Domain Controller, open a DOS Command Prompt and type the following command to update the policy on the Domain Controller.


Note: The GPO setting isn’t applied until the registry setting - HKLM\SYSTEM\CurrentControlSet\services\NTDS\Parameters and DWORD ‘ldapserverintegrity’ has changed from the default 1 to the new setting of 2. If you manually change in the registry without updating the Default Domain Controllers GPO, it will go back to 1 after every gpupdate.

Image 4: Registry Editor
Step 2 of 3: Setting up an Enterprise Root CA

Server Manager > Roles > Add Roles

Add Roles Wizard: Select Server Roles
Tick the ‘Active Directory Certificate Services’ box and click Next >

Image 5: Add Roles Wizard
Add Roles Wizard: Introduction to Active Directory Certificate Services
Click Next >

Add Roles Wizard: Select Role Services
Tick the ‘Certification Authority’ box only
Click Next >

Image 6: AD CS - Select Role Services
Note: Later on - but not required for what we want to achieve here - I will install ‘Certification Authority Web Enrollment’ so I can request certificates from the domain certification authority.

Add Roles Wizard: Specify Setup Type
Choose ‘Enterprise’ to set up an Enterprise CA
Click Next >

Image 7: AD CS - Specify Setup Type
Add Roles Wizard: Specify CA Type
Choose ‘Root CA
Click Next >

Image 8: AD CS - Specify CA Type
Add Roles Wizard: Set Up Private Key
Choose ‘Create a new private key’ (since this is a new CA)
Click Next >

Image 9: AD CS - Set Up Private Key
Add Roles Wizard: Configure Cryptography for CA
Leave as the default settings which are sufficient for our requirements:
Cryptographic service provide (CSP) = RSA#Microsoft Software Key Storage Provider
Key character length = 2048
Hash algorithm for signing certificates issued by this CA = SHA1
‘Allow administrator interaction when the private key is accessed by the CA’ = unticked
Click Next >

Image 10: AD CS - Configure Cryptography for CA
Add Roles Wizard: Configure CA Name
Leave as the default populated settings which are sufficient for our requirements:
Common name for this CA = lab-MSDMC01-CA
Distinguished name suffix = DC=lab,DC=priv
Preview of distinguished name = CN=lab-MSDMC01-CA,DC=lab,DC=priv
Click Next >

Image 11: AD CS - Configure CA Name
Add Roles Wizard: Set Validity Period
Leave as the default settings which are sufficient for our requirements:
Validity period for certificate generated for this CA = 5 years
Click Next >

Image 12: AD CS - Set Validity Period

Add Roles Wizard: Configure Certificate Database
Leave as the default settings which are sufficient for our requirements:
Certificate database location = C:\Windows\system32\CertLog
Certificate database log location = C:\Windows\system32\CertLog
Click Next >

Image 13: AD CS - Configure Certificate Database
Add Roles Wizard: Confirm Installation Selections
Click Install

Image 14: AD CS - Confirm Installation Selections
Add Roles Wizard: Installation Results
Click Close

Step 3 of 3: Obtaining the Root CA Certificate

On our Enterprise Root CA Domain Controller, run the following commands from the DOS prompt (>) to obtain the self-signed root CA certificate, and copy all the output between and including the BEGIN CERTIFICATE and END CERTIFICATE lines into a simple text document. This will need to be provided to the clients wanting to establish LDAP over SSL connections, so they can install the root CA certificate first.

certutil -ca.cert CA_root_cert

And that’s it!

Example of the output using certutil and certutil -ca.cert:

Entry 0: (Local)
  Name:                         `lab-MSDMC01-CA'
  Organizational Unit:          `'
  Organization:                 `'
  Locality:                     `'
  State:                        `'
  Country/region:               `'
  Config:                       `MSDMC01.lab.priv\lab-MSDMC01-CA'
  Exchange Certificate:         `'
  Signature Certificate:        `MSDMC01.lab.priv_lab-MSDMC01-CA.crt'
  Description:                  `'
  Server:                       `MSDMC01.lab.priv'
  Authority:                    `lab-MSDMC01-CA'
  Sanitized Name:               `lab-MSDMC01-CA'
  Short Name:                   `lab-MSDMC01-CA'
  Sanitized Short Name:         `lab-MSDMC01-CA'
  Flags:                        `13'
  Web Enrollment Servers:       `'
CertUtil: -dump command completed successfully.

C:\Users\Administrator>certutil -ca.cert CA_root_cert
CA cert[0]: 3 -- Valid
CA cert[0]:

CertUtil: -ca.cert command completed successfully.