Campus Active Directory - Install Server Certificate for Domain Controllers

By default, Active Directory LDAP traffic is transmitted unsecured. Clear and unsigned LDAP traffic is susceptible to sniffing and replay attacks. LDAP traffic can be secured using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology. LDAP over SSL (LDAPS)is enabled by installing a properly formatted server certificate.

The InCommon server certificates requested from Certificate Services are trusted by most operating systems natively without requiring the installation of additional root certificates.

SSL Certificate FAQs - Information about the Server Certificate request process

Support Information - "The UW Madison SSL server certificate services does not directly support end-user local systems, for their generation of CSRs, installing certs, etc. on said systems/ We provide the means to obtain/deliver the certificates with Incommon."

IMPORTANT NOTE:

Before begining, verify that Active Directory Certificate Services are not installed on any of the domain controllers. If a third-party certificate is required for LDAP SSL connections, then it is important that the Microsoft Enterprise Certificate Authority not be installed on the LDAP server; this sets the Enterprise CA certificate as the default certificate for SSL validation. How to decommission a Windows Ent. CA: http://support.microsoft.com/kb/889250

Submit certificate request to the Certificate Services

Example "request.inf"

;----------------- request.inf -----------------

[Version]
Signature="$Windows NT$"

[NewRequest]
;Change to your,country code, company name and common name
Subject = "C=US, O=University of Wisconsin-Madison, CN=yourservername.wisc.edu" 

KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication / Token Signing
;-----------------------------------------------
IMPORTANT NOTE: Be careful to close out this page each time before using the above link again to request additional certificates otherwise it refreshes creating a duplicate request!
Available formats:
      as PKCS#7: https://cert-manager.com/customer/InCommon/ssl?action=download&sslId=156346&format
      (* Cryptographic Message Syntax Standard (PKCS #7) .p7b
The PKCS #7 format supports storage of certificates and all certificates in the certification path. Does not include private key.)

Install the Certificate

More detailed steps can be found here: https://www.digicert.com/kb/ssl-certificate-installation-microsoft-active-directory-ldap-2012

Additional Steps for Domain Controllers that require the certificate in multiple locations (2012 and later)

If there are multiple valid certificates available in the local computer store, Schannel the Microsoft SSL provider, selects the first valid certificate that it finds store. The LDAP bind may fail if Schannel selects the wrong certificate.

Loading the requested server certificate into the NTDS/Personal certificate store will ensure that the correct server certificate is used for LDAPS

IMPORTANT NOTE:

  • Automatic certificate enrollment (auto-enrollment) cannot be utilized to populate NTDS\Personal certificate store
  • Command line tools are not able to manage certificates in the NTDS\Personal certificate store
  • Certificates should be imported into the NTDS\Personal store and not moved through drag-and-drop in the Certificates snap-in
  • The import process must be conducted on each domain controller
LDAP over SSL (LDAPS) Certificate (MS TechNet)

Enable LDAP over SSL with a third-party certification authority

When exporting the certificate:

Publish the Comodo root certificate (AddTrustedExternalCaRoot.crt) to the NTAuthCA certificate store

Enable LDAP Interface Events Debugging

The domain controller will log Event ID 2887 each every 24 hours that will provide a summery of clients that used clear or unsigned binds. Enabling debugging for LDAP Interface Events will log an Event ID 2889 each time a client uses a clear or unsigned bind to the domain controller.

Event ID 2889 LDAP signing
Event ID 2888 LDAP signing

To enable diagnostic logging for LDAP Interface Events:

To disable the diagnostic logging for LDAP Interface Events: