LDAPS on Server 2008 R2 without CA

Recently we needed to enable LDAPS on our domain controller for internal applications. We didn’t want to purchase SSL from third-party CA and also we wanted to avoid deploying our own CA.

Below are the steps on how to do that:

  1. First we need SSL certificate with server’s FQDN suitable for server authentication purposes (object identifier or OID = 1.3.6.1.5.5.7.3.1). Any server has a certificate with its internal name by default. So on Domain Controller I opened Certificates MMC snap-in and searched for it.
  2. I copied this SSL to Local Computer/Personal store to make it available for authentication
  3. I copied it to Local Computer/Trusted Root to make it trusted on the server.
  4. I exported it without private key and import it on web server  with application that needs to authenticate through LDAPS to make web server trust the certificate as well.
  5. To test it I run ldp.exe and connected to Domain Controller using its internal FQDN.

Note: There is no need to restart anything as SSL updates are triggered automatically from time to time. To make sure SSL update actually happened you can search for event 1221 in Directory event log.

Note: Server 2008 has enhancement that allows to store SSLs used for LDAP in Service (Active Directory) store instead of Local Computer. In this case SSL goes to the same sub-folders: Personal and Trusted Root.

 

Troubleshooting:

    1. Eliminate any networking issues including firewall blocking port 636. Use telnet to check if it’s possible to connect
    2. If you get Event 1220 each timer application tries to connect that’s most likely certificate issue:
      – check that SSL exists (see Step #1)
      – check that private key is installed as well
      – check that it has server’s FQDN.  (see Step #1)
      – check that certificate is suitable for server authentication.  (see Step #1)
      – check that certificate is in appropriate store folders (see Step #2 and #3)
    3. If you get the following whent trying to connect with ldp.exe:Error <0x0> = ldap_set_option(hLdap, LDAP_OPT_PROTOCOL_VERSION,
      LDAP_VERSION3);
      Error <0x51> = ldap_connect(hLdap, NULL);

      most likely SSL is not trusted either on Domain Controller or on the other server you are connecting from (see Step #3 and #4)

 

Useful articles that helped me a lot:

  1. http://technet.microsoft.com/en-us/library/dd941846%28WS.10%29.aspx
  2. http://support.microsoft.com/kb/321051