Windows Server: How to Enable Secure Lightweight Directory Access Protocol (LDAPS) on an Active Directory Domain Controller
Summary: This article provides the steps to enable Secure LDAP on an Active Directory domain controller.
This article applies to
This article does not apply to
This article is not tied to any specific product.
Not all product versions are identified in this article.
Instructions
Lightweight Directory Access Protocol (LDAP) is one of the core protocols of Active Directory Domain Services. Secure LDAP (LDAPS or LDAP over SSL or TLS) provides a means of securing LDAP communication through encryption.
An appropriate certificate must be generated and installed on a DC in order for the DC to use LDAPS. The following can be used as a template for the certificate request:
Once the request has been generated, it must be submitted to the CA. The submission procedure cannot be documented here, as it depends on the CA.
The CA generates the certificate, which must be downloaded to the DC. The download procedure also varies, but the certificate must be encoded as base64.
Save the certificate on the DC as ldaps.cer, and run
The DC must now be rebooted. When the DC boots back into Windows, LDAPS is automatically used for LDAP communication; no further configuration is required.
NOTE: The domain controller must be rebooted at the end of this procedure. Depending on the environment, a scheduled maintenance window may be required.
An appropriate certificate must be generated and installed on a DC in order for the DC to use LDAPS. The following can be used as a template for the certificate request:
;----------------- request.inf ----------------- [Version] Signature="$Windows NT$ [NewRequest] Subject = "CN=<DC_fqdn>" ; replace with the FQDN of the DC KeySpec = 1 KeyLength = 1024 ; Larger key sizes (2048, 4096, 8192, or 16384) ; can also be used. They are more secure but larger ; sizes have a greater performance impact. Exportable = TRUE MachineKeySet = TRUE SMIME = False PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID=1.3.6.1.5.5.7.3.1 ; Server Authentication ;-----------------------------------------------
To generate an LDAPS certificate, copy the text above into Notepad. Change <DC_fqdn> in the Subject line to the fully qualified domain name of the DC where the certificate is installed (for example, dc1.ad.domain.com).
Depending on the certification authority (CA), some or all the following information may also be required:
- Email address (E)
- Organizational unit (OU)
- Organization (O)
- City or locality (L)
- State or province (S)
- Country or region (C)
Subject="E=user@domain.com, CN=dc1.ad.domain.com, OU=Information Technology, O=Company, L=Anywhere, S=Kansas, C=US"Save the text file as request.inf, and run
certreq -new request.inf request.req from a command prompt. This generates a certificate request named request.req using the information supplied in the text file.
Once the request has been generated, it must be submitted to the CA. The submission procedure cannot be documented here, as it depends on the CA.
The CA generates the certificate, which must be downloaded to the DC. The download procedure also varies, but the certificate must be encoded as base64.
Save the certificate on the DC as ldaps.cer, and run
certreq -accept ldaps.cer to complete the pending request and install the certificate. By default, the certificate is installed in the DC's Personal store; the Certificates MMC snap-in can be used to confirm this.
The DC must now be rebooted. When the DC boots back into Windows, LDAPS is automatically used for LDAP communication; no further configuration is required.
Additional Information
Running the netstat command on any DC shows that the lsass.exe process listens on TCP ports 389 and 636, whether or not the above procedure has been followed. However, LDAPS cannot be used until an appropriate certificate is installed.
The ADSI Edit tool can be used to confirm that LDAPS is in use:
- Launch ADSI Edit (
adsiedit.msc). - In the left pane, right-click ADSI Edit and select Connect to... .
- Select a naming context from the dropdown menu.
- Check Use SSL-based encryption.
- Click Advanced… .
- Enter 636 for the port number and click OK.
- Port 636 should appear in the Path field near the top of the window. Click OK to connect.
- If the connection is successful, LDAPS is in use.
Affected Products
Microsoft Windows Server 2016, Microsoft Windows Server 2019, Microsoft Windows Server 2022Products
PowerEdge FC640, PowerEdge M640, PowerEdge M640 (for PE VRTX), PowerEdge MX5016s, PowerEdge MX740C, PowerEdge MX750c, PowerEdge MX760c, PowerEdge MX840C, PowerEdge R240, PowerEdge R250, PowerEdge R260, PowerEdge R340, PowerEdge R350, PowerEdge R360
, PowerEdge R440, PowerEdge R450, PowerEdge R540, PowerEdge R550, PowerEdge R640, PowerEdge R6415, PowerEdge R650, PowerEdge R650xs, PowerEdge R6515, PowerEdge R6525, PowerEdge R660, PowerEdge R660xs, PowerEdge R6615, PowerEdge R6625, PowerEdge R740, PowerEdge R740XD, PowerEdge R740XD2, PowerEdge R7415, PowerEdge R7425, PowerEdge R750, PowerEdge R750XA, PowerEdge R750xs, PowerEdge R7515, PowerEdge R7525, PowerEdge R760, PowerEdge R760XA, PowerEdge R760xd2, PowerEdge R760xs, PowerEdge R7615, PowerEdge R7625, PowerEdge R840, PowerEdge R860, PowerEdge R940, PowerEdge R940xa, PowerEdge R960, PowerEdge T140, PowerEdge T150, PowerEdge T160, PowerEdge T340, PowerEdge T350, PowerEdge T360, PowerEdge T40, PowerEdge T440, PowerEdge T550, PowerEdge T560, PowerEdge T640
...
Article Properties
Article Number: 000212661
Article Type: How To
Last Modified: 11 Dec 2024
Version: 4
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.