I covered this
briefly in the following post Troubleshooting
CDOT CIFS Server Create Failed “Strong(er) authentication required”.
The following takes you through setting up LDAP over SSL
from the server side of a Windows 2008 R2 SP1 Domain Controller.
Note: It just
happens to be the minimum required to force a NetApp CDOT 8.2.1 SVM to have to
have LDAP over SSL properly configured before it can join the Active Directory
Domain.
My Lab Setup
My lab setup is simply a single Windows Server 2008 R2
SP1 Domain Controller - called MSDMC01 - in the domain LAB.PRIV. And we start
with a pretty much out of the box Domain Controller setup.
Step 1 of 3:
Enablement in the Default Domain Controllers Policy
Start >
Administrative Tools > Group Policy Management
Find the ‘Default
Domain Controllers Policy’, right-click and click Edit...
Image 1: Group
Policy Management
In the ‘Group Policy Management Editor: Default Domain
Controllers Policy’
Computer
Configuration > Policies > Windows Settings > Security Settings >
Local Policies > Security Options
Find the policy ‘Domain
controller: LDAP server signing requirements’, right-click and click Properties
Image 2: Group
Policy Management Editor
Domain controller: LDAP server signing requirements
Ensure that the ‘Define
this policy setting’ box is ticked
Change the drop-down menu to ‘Require signing’
Click OK
Click Yes to
the ‘Confirm Settings Change’ box
Image 3: Domain
controller - LDAP server signing requirements Properties
Close the ‘Group
Policy Management Editor’ window.
Close the ‘Group
Policy Management’ window.
Then, from the Domain Controller, open a DOS Command
Prompt and type the following command to update the policy on the Domain
Controller.
gpupdate
Note: The GPO
setting isn’t applied until the registry setting - HKLM\SYSTEM\CurrentControlSet\services\NTDS\Parameters and DWORD ‘ldapserverintegrity’ has changed from
the default 1 to the new setting of 2. If you manually change in the registry
without updating the Default Domain Controllers GPO, it will go back to 1 after
every gpupdate.
Image 4: Registry
Editor
Step 2 of 3: Setting
up an Enterprise Root CA
Server Manager
> Roles > Add Roles
Add Roles Wizard: Select Server Roles
Tick the ‘Active
Directory Certificate Services’ box and click Next >
Image 5: Add Roles
Wizard
Add Roles Wizard: Introduction to Active
Directory Certificate Services
Click Next >
Add Roles Wizard: Select Role Services
Tick the ‘Certification
Authority’ box only
Click Next >
Image 6: AD CS -
Select Role Services
Note: Later on -
but not required for what we want to achieve here - I will install ‘Certification
Authority Web Enrollment’ so I can request certificates from the domain
certification authority.
Add Roles Wizard: Specify Setup Type
Choose ‘Enterprise’
to set up an Enterprise CA
Click Next >
Image 7: AD CS -
Specify Setup Type
Add Roles Wizard: Specify CA Type
Choose ‘Root CA’
Click Next >
Image 8: AD CS -
Specify CA Type
Add Roles Wizard: Set Up Private Key
Choose ‘Create a
new private key’ (since this is a new CA)
Click Next >
Image 9: AD CS -
Set Up Private Key
Add Roles Wizard: Configure Cryptography for
CA
Leave as the default settings which are sufficient for
our requirements:
Cryptographic
service provide (CSP) = RSA#Microsoft
Software Key Storage Provider
Key character
length = 2048
Hash algorithm for
signing certificates issued by this CA = SHA1
‘Allow
administrator interaction when the private key is accessed by the CA’ = unticked
Click Next >
Image 10: AD CS -
Configure Cryptography for CA
Add Roles Wizard: Configure CA Name
Leave as the default populated settings which are
sufficient for our requirements:
Common name for
this CA = lab-MSDMC01-CA
Distinguished name
suffix = DC=lab,DC=priv
Preview of
distinguished name = CN=lab-MSDMC01-CA,DC=lab,DC=priv
Click Next >
Image 11: AD CS -
Configure CA Name
Add Roles Wizard: Set Validity Period
Leave as the default settings which are sufficient for
our requirements:
Validity period for
certificate generated for this CA = 5
years
Click Next >
Image 12: AD CS -
Set Validity Period
Add Roles Wizard: Configure Certificate
Database
Leave as the default settings which are sufficient for
our requirements:
Certificate
database location = C:\Windows\system32\CertLog
Certificate
database log location = C:\Windows\system32\CertLog
Click Next >
Image 13: AD CS -
Configure Certificate Database
Add Roles Wizard: Confirm Installation
Selections
Click Install
Image 14: AD CS -
Confirm Installation Selections
Add Roles Wizard: Installation Results
Click Close
Step 3 of 3: Obtaining
the Root CA Certificate
On our Enterprise Root CA Domain Controller, run the
following commands from the DOS prompt (>) to obtain the self-signed root CA
certificate, and copy all the output between and including the BEGIN
CERTIFICATE and END CERTIFICATE lines into a simple text document. This will
need to be provided to the clients wanting to establish LDAP over SSL
connections, so they can install the root CA certificate first.
certutil
certutil -ca.cert CA_root_cert
And that’s it!
Example of the
output using certutil and certutil -ca.cert:
C:\Users\Administrator>certutil
Entry 0:
(Local)
Name: `lab-MSDMC01-CA'
Organizational Unit: `'
Organization: `'
Locality: `'
State: `'
Country/region: `'
Config:
`MSDMC01.lab.priv\lab-MSDMC01-CA'
Exchange Certificate: `'
Signature Certificate: `MSDMC01.lab.priv_lab-MSDMC01-CA.crt'
Description: `'
Server: `MSDMC01.lab.priv'
Authority: `lab-MSDMC01-CA'
Sanitized Name: `lab-MSDMC01-CA'
Short Name: `lab-MSDMC01-CA'
Sanitized Short Name: `lab-MSDMC01-CA'
Flags: `13'
Web Enrollment Servers: `'
CertUtil:
-dump command completed successfully.
C:\Users\Administrator>certutil -ca.cert CA_root_cert
CA
cert[0]: 3 -- Valid
CA
cert[0]:
-----BEGIN
CERTIFICATE-----
MIIDYzCCAkugAwIBAgIQbkWjIrQBqr9MYH6LuvOa7jANBgkqhkiG9w0BAQUFADBE
MRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEXMBUG
A1UEAxMObGFiLU1TRE1DMDEtQ0EwHhcNMTQwNDI2MTYwNjE3WhcNMTkwNDI2MTYx
NjE2WjBEMRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xh
YjEXMBUGA1UEAxMObGFiLU1TRE1DMDEtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDVR1jxp1Sazi88OXWECAPZAdcUdaaXOIlquSV/2vZGz548zeVX
GxJmV2MIte0IPe+q7RMcjgCW9espkGG1LjkZdKtxA9zAvZJY3zhpZzCbAinP9aIO
CnopICoQ5OPK5wWpJvn18yWfOJiJOeIG/TK71YPzE2yxRNZv0ouSlflq2522Gutr
EAW+KrSsXs03G2KVY6iVZ9A+k/cfZN/G1v4DRElwqmXuCMxRcdQWkd8FNHJ4dYx6
Nvq1DmroWxn/zicBkUHz0aKbuQSM0P1M/LFTA7lGCosbjT+q8Bc37oGlci2vVTOS
JXv+Qxx/y/epOmkBJilf112uch+npWViMnPPAgMBAAGjUTBPMAsGA1UdDwQEAwIB
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSVo87stQ2puh0s37snZtHOC0SN
BTAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAAOCAQEACVC9UENQQuy+
OuC7M/pHns+d233j7PofbkFZ/a87WdePGUWEAfnYJYhXAWcV4HoM1WHZhqG408tV
CsfYS5NXCXrqIM5hNF+I+qnqA5aS0aPICIfBspOFDJqvcgj0bBPwKXRbRmBdizHe
pdNgzxR7RZgoDdorjNeAfmdkXEPoHKN4B9nQjtKSZGyXJxg0RUFUmGBadoNRSiGp
KNzmNQLsTLWszKarzqAjkfO5gN9oIOrVt1GFhkgxEfd6pUkTznm48CfrKSV62SMw
/b6Lqx0o/3mkuUUgMgJLUB21Os6z8XBtLFwA847vJNoi3SoLpjZE9+b+rf1r163C
qO2+O6CqYw==
-----END
CERTIFICATE-----
CertUtil:
-ca.cert command completed successfully.
Comments
Post a Comment