Enable SSL on Active Directory

Majid Latif

Introduction

To get the full experience from LogonBox your Active Directory needs to be configured for SSL, this allows the secure node agent to successfully perform secure actions, such as password changes, against your Active Directory, this is also a requirement of LogonBox to work successfully; LogonBox values your privacy which is why secure communication between user directories such as your AD is vital.

This article details specifically how to configure Windows Server 2008, with links to Windows server 2003 and Windows server 2012, for other directorires please refer to your directory instructions.

Other Windows Directories

Configure LDAP SSL on Windows 2008 

Step 1: Install the Certificate Services Roles

To begin, the Windows server should already have Active Directory Domain Services installed. If it does not then you will need to install this before we continue.

Once domain Services has been installed and configured (if it was required ) open the Add Roles wizard and select the Active Directory Certificate Services role and begin the installation process of this role on the Domain Controller.

 

Note: The following instructions setting for the wizard are are intended for a single domain controller environment, and are used in our own testing systems. Your own configuration requirements may vary.

 When the wizard prompts you to select the modules for the Certificate Services select the Certificate Authority option and Next.

 

 You'll next be prompted to select the type of Certificate Authority you wish to create. In order to create a certificate for Active Directory you must select the Enterprise CA.

 

 Next you'll need to set if the CA is the root or a subordinate, in this environment you want to select the Root CA option.

 

 Next you will need to specify if the CA will use a new or existing private key. We will be selecting Create a New Private Key, however if you already have a key you wish to use you can select Use Existing option and upload the key to the domain controller.

 

 The next parts of the wizard will configure the certificate authority, in most cases you can leave these as the default values unless you specifically wish to change the CA details, validity period, or database location. Continue until the wizard completes.

 

 Eventually you'll be presented with an overview of the Certificate Services details. Confirming here will now install the Certificate Services role.

 

Step 2: Configuring Certificates for the Domain

After Certificate Services has completed installation open the Start menu and run the MMC application.

 

 In MMC open the File menu and select the Add/Remove Snap In option. A new window will open listing all available snap-ins. In the left tab select the Certificates snap-in and select Add >.

 

 The Certificate snap-in window will open, on the first page select the Computer Account option and continue to the next page.

 

 On the second page select the Local Computer option and select Finish to complete the details.

 

 The Certificates snap-in will now be added to the console, select OK to complete setup and return to the console.

 

The console will now list a Certificates section with a number of folders, expand the Personal > Certificates folders. With the last Certificates folder selected you should see one certificate listed in the central section for the CA that was created. There may also be a certificate for the server itself.

 

With the Certificates folder still selected right click the folder and select All Tasks > Request New Certificate. The Certificate Enrollment wizard will begin.

 

When prompted to choose the type of certificate enrollment policy select the Active Directory Enrolment Policy option.

 

 

Next you'll need to request certificates, select both the Domain Controller and Domain Controller Authority options and select Enroll and then Finish to complete the wizard.

 

Two additional certificates will now be listed in the Personal > Certificates section.

 

Step 3: Testing the SSL Connection

To test the SSL connection to Active Directory open the Start menu and run the LDP application.

 

Open the Connection menu and select the Connection option, in the Connect window set the connection details as follows and then select OK:

  • Hostname: localhost
  • Port: 636
  • SSL option enabled

 

If the SSL connection is working correctly you should see output similar to the following.

 

Active Directory will now be able to receive connections over SSL and permission to reset passwords and unlock accounts will be granted to third party applications.