Configuring Secure LDAP connection on Server 2016

This article is based on best practice which we need to follow during the implementation of Active Directory and authentication of it with other software in presence of SSO (Single Sign on). So, what actually ldap means? The Lightweight Directory Access Protocol (LDAP) is used to read from and write to Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. You can enable LDAP over SSL (LDAPS) by installing a properly formatted certificate from either a Microsoft certification authority (CA) or a non-Microsoft CA. so on this blog I will be sharing my knowledge on how to configure secure LDAP connection on Server 2016.

In default, communication between client and server application are not encrypted for LDAP which means it is possible to monitor device or software and view the communications traveling between LDAP client and Server Computers. But that doesn’t mean it can expose the Kerberos, SASL and even NTLM authentication or authorization, because they do have their own encryption methods. So only the data communication between Client and servers do have possibility of getting compromised. Hence let’s work on the securing the communication.

The port that uses by the LDAP for the normal communication is TCP/UDP 389 whereas for the secure communication it will be using 636 port. So, first let’s know how to check it.

Open your machine, go to run, type ‘ldp’ and click on ‘OK’.

 

Once this is done, a new window will get open. On the ‘Connection’ click ‘Connect’ and provide the server name and port as 636.

So, if you see this kind of error than this means you do not have configured secure LDAP. Then let’s start configuring it.

Configuring secure LDAP:

To configure the secure LDAP, we first need to install Certificate Authority on our Domain Controller. To get install Certificate Authority, please follow this blog. After completion of installing Local CA, open it. Right click on ‘Certificate template’, and select ‘Manage’. On ‘Action’, select ‘View Object Identifiers’.

Now scroll down and verify if you do have Server Authentication with object Identifier 1.3.6.1.5.5.7.3.1, this is the thing which allows us to configure secure ldap.

After verifying Object identifier, now open  ‘Microsoft Management Console’ (MMC).

On ‘Microsoft Management Console (MMC)’, ‘Add or Remove Snap-ins’ using computer Certificates

Add certificate for the local computer and click ‘OK’, once this is done.

After adding the Local Certificate, expand the Personal below the Certificates.

You will see a new folder name ‘Certificates’ right-click on it and navigate to ‘Request New Certificate’ and select it.

A new window will get open for the Certificate Enrollment, click ‘Next’ on this.

On ‘Select Certificate Enrollment Policy’ click on ‘Next’.

At ‘Certificate Enrollment’, select ‘Domain Controller’ and click on ‘Enroll’.

It will take a while to get install the ‘Domain certificate’ on your Domain Controller. After completion click on ‘Finish’.

Now you can see the certificate issued to your domain controller on your certificate page.

Testing:

Once you verified the certificate has been installed on your machine, try to get connect to your machine as we did earlier

If the configuration is good, you will receive this kind of message on your LDP console. If it didn’t you might need to restart your machine once.

Hope this was quite helpful blog for the integrating AD authentication with your Application using Secure channel. Keep posting for any comments J

19 Comments

Add a Comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.