How do I set up LDAP SSL and Certificates in AD LDS (formerly ADAM)?
Created: 2012-04-20 08:09:59Modified: 2022-06-09 15:28:14
Tags: AD LDS ADAM LDAP SSL UnitySync
To enable SSL-based encrypted connections to AD LDS, you have a choice of using one issued by a trusted Certificate Authority (CA) or a self-signed certificate.
Certificate Requirements:
- Must be issued by a trusted Certificate Authority (CA).
Self-signed certificates can be used but must also be installed as a ‘pseudo-CA’ in the computer’s “Trusted Root Certification Authories” The certificate file itself must be in PKCS #12 format (.PFX or .P!2)
The certificate must have:
Exhanced Key Usage: Server Authentication (1.3.6.1.5.5.7.3.1)
The subject line of the certificate must be the FQDN of the machine the certificate is installed on. This can be found with the following command:
net config workstation | findstr /C:Full
Certificate Installation
- Copy the certificate file to the AD LDS server.
- Execute Start > Run > MMC (The Microsoft Management Console)
- In the Console window, Click File - ADD/Remove Snap-In
- Select “Certificates” from Available snap-ins, click ADD.
- In the Certificate Snap-in window, select “Service Account”, click Next.
- In the Select Computer window, leave the default of “Local Computer”, click Next.
- In the Certificate Snap-In window, select the AD LDS instance (Service) to associate this key to, then click Finish.
- In the Add/Remove Snap-in window, click OK.
- In the Console root drill down to Certificates > Personal
- Right Click and select All Tasks > Import
- Click Next.
- Select your .PFX or .P12 certificate and click Open.
- Click Next to import the file.
- If there is an associated password, enter it.
- Click Next to process the key.
- Place all certificated in the AD LDS Instance Personal Store.
- Click Next and Click Finish to complete the Wizard.
Certificate Permissions
Before you attempt to use the certificate with AD LDS, you must ensure that the service account under which AD LDS is running has Read access to the certificate that you installed.
- In File Explorer navigate to:
C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys
- Find the lastest created file in the directory. This will be the key you just installed.
- Right Click and select the file’s properties.
- Click the Securities tab.
- Click Edit
- Click Add
- Enter the object name to select: NETWORK SERVICE (verify with Check Names)
- Click OK.
- Verify READ access is enabled for NETWORK SERVICE
- Close all dialogs
- Restart the AD LDS Instance
SSL Connection test
- Launch ldp.exe
- Click Connection > Connect
- Set
- Server: Localhost
- Port: enter the ldap ssl port of your AD LDS instance
- Check the SSL box.
- Click OK to run the test.