Home > Active Directory > How to enable LDAP over SSL using Subject Alternate Names

How to enable LDAP over SSL using Subject Alternate Names

With multiple Domain Controllers in AD, it makes little sense to hard-code any DC within programming code, applications and user profiles.  The main reason being a single point of failure, such as during maintenance windows or if a physical machine unexpectedly dies off.  The best way to mediate this is to create a DNS Round Robin for a friendly name, such as LDAP.Domain.com, and list several Domain Controllers as possible end points.  The trick however, you must configure the Domain Controllers with a certificate from either your internal PKI or a 3rd party CA, such as VeriSign.  Installing this cert is a requirement to talk SSL\TLS LDAP using subject alternate names.

Here are two KB articles that outline the process:

There are 4 key steps to follow:

    1. Create the INF file, which determines which attributes to use
    2. Use the INF to create a request file
    3. Submit the request file to be signed by the Certificate Authority
    4. Accept and install the new certificate in the local computer store


  • Create the INF file.  Save the blue text to a file and name it certnew.inf
==========================================================================================

 

[Version]
Signature=”$Windows NT$
 
[NewRequest]
Subject = “CN=dc1.contoso.com” ; must be the FQDN of domain controller  (EDIT THIS AND ADD THE FQDN OF YOUR DC)
EncipherOnly = FALSE
Exportable = FALSE  ; TRUE = Private key is exportable
KeyLength = 1024    ; Common key sizes: 512, 1024, 2048, 4096, 8192, 16384
KeySpec = 1             ; Key Exchange
KeyUsage = 0xA0     ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC
 
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
 
[RequestAttributes]
CertificateTemplate = WebServer ;Omit  line if CA is a stand-alone CA
SAN=”dns=dc1.contoso.com&dns=ldap.contoso.com&dns=.contoso.com(EDIT THIS)
;Note: The first SAN Entry must be the FQDN of the Domain Controller.  If it is not, Secure LDAP will not function.

==========================================================================================


  • From the same directory you saved the certnew.inf file issue this command (On the DC). :
Certreq -new certnew.inf certnew.req
  • Issue this command:
Certreq -submit certnew.req certnew.cer
Note: Certreq.exe will prompt you for which CA to use if you have multiple CA’s in your environment.
  • Issue this command:
Certreq -accept certnew.cer
 
Note: This command copies the private key with the certificate and automatically places it in the private computer store.  If you try to use the Certificate Authority Web enrollment form, and do not select store in the local computer store, it will place the cert in the current user cert store on the DC.  This breaks the SSL\SAN capability.
 

You can and should delete any other certs in the DC computer store, as they will cause problems due to caching of certs within SCHANNEL as there is no way to know which cert the LDAP client binds to.

Best of Luck,

Ed McKinzie

Advertisements
Categories: Active Directory
  1. mario
    October 25, 2011 at 9:49 AM

    Do I have to create a request for each DC and have separate cert?

  2. morti
    October 13, 2014 at 8:45 AM

    Hello, one question: Does a cert build from web server template replace a cert build from domain controller template? if I should delete every other cert in my local DC’s store, how can I use Web Server template? As this cert cant do Client Authentication.

    • December 30, 2014 at 2:11 PM

      You can only use a DC certificate for a domain controller. If you are wanting to do some type off client\server auth, you must use a Mutual Authentication server certificate that has client\server enabled on the Enhanced key usage.

  1. No trackbacks yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: