Pages

July 31, 2013

Enabling LDAP over SSL with AD LDS

Enabling LDAP over SSL with AD LDS

  1. Create a new server authentication/Web server certificate. LINK
  2. Import the certificate into the Certificates store for the local service of the instance. LINK
  3. Grant Read permission on the server authentication certificate to the same account that the LDS service is running as typically "Network Service" account
  4. Open the C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys folder and verify that "Network Service", "Administrators" & "System" have read access to all of the certs.
  5. Verify SSL is required on the LDS instance:
    • Open ADSI Edit and connect to the configuration partition of the LDS instance
    • Navigate to CN=Directory Service,CN=Windows NT, CN=Services
    • Right click on CN=Directory Service and select properties
    • Click the msDS-Other-Settings attribute and select edit
    • Verify this value is set to 1 RequireSecureProxyBind
  6.   Restart the LDS Instance.
  7.   Use LDP.exe to test SSL
    • Open ldp.exe
    • Click connection -> Connect
    • Enter the FQDN of the server
    • Change the port. (Default is 636)
    • Check the box for SSL
    • Click ok to connect.


No comments:

Post a Comment