Wednesday, 15 January 2020

Setting up TLS access to Active Directory over LDAP

I needed to enable access to my AD using LDAP, but didn't want to use unencrypted connections. Active Directory supports TLS connections, but for this you usually need to install the Enterprise Root CA (some details on Technet here), which is WAY more than I needed.

Looking more into this, I learned that I don't need a full CA, I'd just need a certificate installed on the domain controllers, and that would be enough. Luckily, since I already setup my own CA previously, I could just use it to set up my own certificate and install them on the DCs.

I found a ServerFault reply, detailing the requirements for the certificate, which were actually very simple:

  • The LDAPS certificate is located in the Local Computer's Personal certificate store (programmatically known as the computer's MY certificate store).
  • A private key that matches the certificate is present in the Local Computer's store and is correctly associated with the certificate.
  • The private key must not have strong private key protection enabled.
  • The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
  • The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places: The Common Name (CN) in the Subject field. DNS entry in the Subject Alternative Name extension.
  • The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
  • You must use the Schannel cryptographic service provider (CSP) to generate the key.

With this, I could create a single certificate that had all my domain controllers in the alternate name field, then installed it on the servers. Once the certificates were copied on the server, the process was actually simple - I had to install the root cert first:


Import-Certificate .\root.crt -CertStoreLocation Cert:\LocalMachine\Root\

Then install the new AD certificate:


Import-PfxCertificate .\ad-dc.pfx -CertStoreLocation Cert:\LocalMachine\My\ -Password (Get-Credential -UserName 'Enter password below').Password

Once done, you can connect to LDAP over TLS straight away!