Enabling LDAP over SSL with AD LDS
- Create a new server authentication/Web server certificate. LINK
- Import the certificate into the Certificates store for the local service of the instance. LINK
- Grant Read permission on the server authentication certificate to the same account that the LDS service is running as typically "Network Service" account
- Open the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder and verify that "Network Service", "Administrators" & "System" have read access to all of the certs.
- Verify SSL is required on the LDS instance:
- Open ADSI Edit and connect to the configuration partition of the LDS instance
- Navigate to CN=Directory Service,CN=Windows NT, CN=Services
- Right click on CN=Directory Service and select properties
- Click the msDS-Other-Settings attribute and select edit
- Verify this value is set to 1 RequireSecureProxyBind
7. Use LDP.exe to test SSL
- Open ldp.exe
- Click connection -> Connect
- Enter the FQDN of the server
- Change the port. (Default is 636)
- Check the box for SSL
- Click ok to connect.
No comments:
Post a Comment