Tuesday, 5 May 2020

Step by Step Guide to Setup LDAPS on Windows Server

https://docs.microsoft.com/en-gb/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server


Step by Step Guide to Setup LDAPS on Windows Server

Step-by-step guide for setting up LDAPS (LDAP over SSL)
The guide is split into 3 sections :
  1. Create a Windows Server VM in Azure
  2. Setup LDAP using AD LDS (Active Directory Lightweight Directory Services)
  3. Setup LDAPS (LDAP over SSL)
NOTE : The following steps are similar for Windows Server 2008, 2012, 2012 R2 , 2016. In this article, we will use Windows Server 2012 R2.

Create a Windows Server VM in Azure

Create a VM named “ldapstest” Windows Server 2012 R2 Datacenter Standard DS12 using the instructions here: Create a Windows virtual machine with the Azure portal
Connect to the VM ldapstest using Remote Desktop Connection.

Setup LDAP using AD LDS

Now let us add AD LDS in our VM ldapstest
Click on Start --> Server Manager --> Add Roles and Features. Click Next.
v1
Choose Role-based or feature-based installation. Click Next.
v2
Select ldapstest server from the server pool. Click Next.
v3
Mark Active Directory Lightweight Directory Services from the list of roles and click Next.
v4
From the list of features, choose nothing – just click Next.
v5
Click Next.
v6
Click Install to start installation.
v7
Once installation is complete, click Close.
v8
Now we have successfully set up AD LDS Role. Let us create a new AD LDS Instance “CONTOSO” using the wizard. Click the “Run the Active Directory Lightweight Directory Services Setup Wizard” in the above screen. And then Click Close.
v9
Choose Unique Instance since we are setting it up for the first time.
v10
Type “CONTOSO” in Instance Name and click Next.


v12
By Default, LDAP Port is 389 and LDAPS port is 636, let us choose the default values - click Next.
v13
Create a new Application Directory Partition named “CN=MRS,DC=CONTOSO,DC=COM”. Click Next.
v14
Using the default values for storage location of ADLDS files- Click Next.
v15
Choosing Network Service Account for running the AD LDS Service.
v16
You will receive a prompt warning about data replication. Since we are using a single LDAP Server, we can click Yes.
v17
Choosing the currently logged on user as an administrator for the AD LDS Instance. Click Next.
v18
Mark all the required LDIF files to import (Here we are marking all files). Click Next.
v19
Verify that all the selections are right and then Click Next to confirm Installation.
v20
Once the instance is setup successfully, click Finish.
v21
Now let us try to connect to the AD LDS Instance CONTOSO using ADSI Edit.
Click on Start --> Search “ADSI Edit” and open it.
Right Click on ADSI Edit Folder (on the left pane) and choose Connect To.. . Fill the following values and Click OK.

v23
If the connection is successful, we will be able to browse the Directory CN=MRS,DC=CONTOSO,DC=COM :
v24

Setup LDAPS (LDAP over SSL)

The Certificate to be used for LDAPS must satisfy the following 3 requirements:
• Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
• The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=contosoldaps. For more information, see How to add a Subject Alternative Name to a secure LDAP certificate .
• The host machine account must have access to the private key.
Now, let’s use Active Directory Certificate Services to create a certificate to be used for LDAPS. If you already have a certificate satisfying the above requirements, you can skip this step.
Click on Start --> Server Manager --> Add Roles and Features. Click Next.
v25
Choose Role-based or feature-based installation. Click Next.
v26
Select ldapstest server from the server pool. Click Next.
v27
Choose Active Directory Certificate Services from the list of roles and click Next.
v28
Choose nothing from the list of features and click Next.
v29
Click Next.
v30
Mark “Certificate Authority” from the list of roles and click Next.
v31
Click Install to confirm installation.
v32
Once installation is complete, Click Close.
v33
Now let’s create a certificate using AD CS Configuration Wizard. To open the wizard, click on “Configure Active Directory Certificate Services on the destination server” in the above screen. And then click Close. We can use the currently logged on user azureuser to configure role services since it belongs to the local Administrators group. Click Next.
v34
Choose Certification Authority from the list of roles. Click Next.
v35
Since this is a local box setup without a domain, we are going to choose a Standalone CA. Click Next.
v36
Choosing Root CA as the type of CA, click Next.
v37
Since we do not possess a private key – let’s create a new one. Click Next.
v38
Choosing SHA1 as the Hash algorithm. Click Next.
UPDATE : Recommended to select the most recent hashing algorithm since SHA-1 deprecation countdown v39
The name of the CA must match the Hostname (requirement number 2). Enter “LDAPSTEST” and Click Next.
v40
Specifying validity period of the certificate. Choosing Default 5 years. Click Next.
v41
Choosing default database locations, click Next.
v42
Click Configure to confirm.
v43
Once the configuration is successful/complete. Click Close.
v44
Now let us view the generated certificate.
Click on Start à Search “Manage Computer Certificates” and open it.
Click on Personal Certificates and verify that the certificate “LDAPSTEST” is present:
v45
Now to fulfill the third requirement, let us ensure host machine account has access to the private key. Using the Certutil utility, find the Unique Container Name. Open Command Prompt in Administrator mode and run the following command: certutil -verifystore MY
v46
The private key will be present in the following location C:\ProgramData\Microsoft\Crypto\Keys\<UniqueContainerName>
Right Click C:\ProgramData\Microsoft\Crypto\Keys\874cb49a696726e9f435c1888b69f317_d3e61130-4cd8-4288-a344-7784647ff8c4 and click properties --> Security and add read permissions for NETWORK SERVICE.
v47
We need to import this certificate into JRE key store since our certificate “CN=LDAPSTEST” is not signed by any by any trusted Certification Authority(CA) which is configured in you JRE keystore e.g Verisign, Thwate, goDaddy or entrust etc. In order to import this certificate using the keytool utility, let us first export this cert as a .CER from the machine certificate store:
Click Start --> Search “Manage Computer Certificates” and open it. Open personal, right click LDAPSTEST cert and click “Export”.
v48
This opens the Certificate Export Wizard. Click Next.
v49
Do not export the private key. Click Next.
v50
Choose Base-64 encoded X .509 file format. Click Next.
v51
Exporting the .CER to Desktop. Click Next.
v52
Click Finish to complete the certificate export.
v53
Certificate is now successfully exported to “C:\Users\azureuser\Desktop\ldapstest.cer”.
Now we shall import it to JRE Keystore using the keytool command present in this location:
C:\Program Files\Java\jre1.8.0_92\bin\keytool.exe.
Open Command Prompt in administrator mode. Navigate to “C:\Program Files\Java\jre1.8.0_92\bin\” and run the following command:
 keytool -importcert -alias "ldapstest" -keystore "C:\Program Files\Java\jre1.8.0_92\lib\security\cacerts" -storepass changeit -file "C:\Users\azureuser\Desktop\ldapstest.cer"

v54
Type “yes” in the Trust this certificate prompt.
Once certificate is successfully added to the JRE keystore, we can connect to the LDAP server over SSL.
Now let us try to connect to LDAP Server (with and without SSL) using the ldp.exe tool.
Connection strings for
LDAP:\\ldapstest:389
LDAPS:\\ldapstest:636
Click on Start --> Search ldp.exe --> Connection and fill in the following parameters and click OK to connect:
v55
If Connection is successful, you will see the following message in the ldp.exe tool:
v56

To Connect to LDAPS (LDAP over SSL), use port 636 and mark SSL. Click OK to connect.
v57
If connection is successful, you will see the following message in the ldp.exe tool:
v58

REFERENCES

No comments:

Post a Comment

Note: only a member of this blog may post a comment.

Blog Archive