Skip to content
Posted in

Enabling LDAPS with Microsoft PKI

LDAP

LDAPS is one of the most crucial functionalities to properly protect and secure credentials in your PKI environment. By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) are passed over the network unencrypted. This could quickly lead to the compromise of credentials.

Prerequisites

A functional Microsoft PKI should be available and configured. While viewing PKIView.msc, no errors should appear

Errorless pkiview

If you need help in deploying your own PKI, you can refer to this article to build your own Two Tier PKI

Installing AD LDS

This step should be carried out on LDAP Server or on Domain Controllers which would be responsible for hosting LDAPS service.

  • Open Server Manager
  • From manage, open Add Roles and Features
  • On Before you Begin, click Next
Before you begin
  • On Installation type, ensure Role based or feature based installation, and click Next
Installation type
  • On Server Selection, click Next.
Server Selection
  • On Server Roles, click Active Directory Lightweight Directory Services, and click Add Features, and then click Next
Server Roles
  • On Features, click Next
Features window
  • On AD LDS, click Next
AD LDS window
  • On Confirmation, click Install
install on confirmation
  • Post Installation, AD LDS needs to be configured

Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

Configuring AD LDS

  • Run AD LDS setup wizard. Click Next on first page.
Run AD LDS setup wizard
  • Ensure unique instance is selected, and click Next
unique instance should be selected
  • Provide Instance name and Description, and click Next
Provide Instance name and Description
  • Leave default ports and click Next
Leave default ports

If AD LDS is installed on domain controller, then LDAP port would be 50000 and SSL port would be 50001

  • On Application Directory Partition, click Next
Application Directory Partition
  • On File locations, click Next
File locations
  • On Service Account Selection, you may leave it on the Network service account, or choose a preferred account that can control LDAPS service
Service Account Selection
  • On AD LDS administrators, leave the current admin, or choose another account from the domain
AD LDS administrators
  • Choose all LDF Files to be imported, and click Next
Choose all LDF Files
  • On Ready to Install, click Next
Ready to Install
  • After Installation, click Finish
Installation Finish

Publishing a certificate that supports Server Authentication

  • Login to the Issuing CA as enterprise admin
  • Ensure you are in Server Manager
  • From the Tools menu, open Certificate Authority
open Certificate Authority

Expand the console tree, and right click on Certificate Templates

right click on Certificate Templates
  • Select Kerberos Authentication (as it provides Server Authentication). Right click and select Duplicate Template. We can now customize the template.
Select Duplicate Template
  • Change Template Display Name and Template Name on General tab. Check Publish Certificate in Active Directory. This will ensure that the certificate appears when we enrol domain controllers using that template
Change Template Display Name
  • On Request Handling, check Allow private key to be exported.
check Allow private key to be exported
  • On the Security tab, provide Enroll permissions to appropriate users
provide Enroll permissions
  • Click Apply

Issue the Certificate on Issuing CA

  • Login to the Issuing CA as enterprise admin
  • Ensure you are in Server Manager
  • From the Tools menu, open Certificate Authority
open Certificate Authority

Expand the console tree, and click on Certificate Templates

On the menu bar, click Action > New > Certificate Template to Issue

click Certificate Template to Issue
  • Choose the LDAPS certificate
Choose the LDAPS certificate
  • Click OK and it should now appear in Certificate Templates

Requesting a certificate for Server Authentication

  • Log into LDAP server or domain controller.
  • Type win+R and run mmc
  • Click File and click Add/Remove Snap-in
click Add/Remove Snap-in
  • Choose Certificates and click Add
Choose Certificates and click Add
  • Choose Computer account
Choose Computer account
  • If the steps are followed on LDAPServer where AD LDS is installed, click Local computer, or choose Another computer and choose where it would need to be installed
choose location
  • Expand the console tree, and inside Personal, click Certificates
  • Right click on Certificates and click All Tasks and select Request New Certificate
select Request New Certificate
  • Follow the instructions, choose LDAPS template that we issued earlier and Install.
  • Once Installed click Finish
choose LDAPS template that we issued
  • Open the certificate, and in Details tab, navigate to Enhanced Key Usage to ensure Server Authentication is present.
ensure Server Authentication is present

Enterprise PKI Services

Get complete end-to-end consultation support for all your PKI requirements!

Validating LDAPS connection

  • Login to LDAP Server as Enterprise admin
  • Type win+R and run ldp.exe
  • On the top menu, click on Connections, and then click Connect
click Connect
  • In server, provide domain name, ensure SSL is checked and proper port is provided and click OK
ensure SSL is checked
  • No errors should appear. If connection was unsuccessful, the following output may appear
connection was unsuccessful

Conclusion

This should enable LDAPS which can be used to properly protect credentials used in your PKI environment as well as enable other applications to use LDAPS.

If you need help with your PKI environment, feel free to email us at [email protected].

Discover Our

Related Blogs

Public vs. Private Keys: Your Guide to Online Security and Privacy 

Read More

Event ID 74 in AD CS – Decoded

Read More

Microsoft Introduces Powerful Enhancements to Active Directory Certificate Services (ADCS) in 2025 

Read More

Explore

More Topics