Enabling LDAPS (SSL) for AD LDS in Window Server

  1. Create a separate directory in the user location in the system.
  2. Create a file adlds_request.inf (file name can be anything with .inf extension).
  3. Copy the below highlighted content in that file and change the required value in pink color.
    Note:

    Remember that “;” is a comment in this file.

  4. Execute the below command in directory to create a certificate request.certreq -new <.inf file name> <certificate request file name>

    An example of the command is mentioned below.

    media/image70.png

  5. A new file is created in the same directory.

    media/image71.png

  6. Share the file with Certificate Authority to provide the signed certificate.
  7. Copy the file in the same directory (with preferred extension of .cer / .crt).

    For example, the sample AD LDS Server Signed Certificate (in this pmsnmdomain.com is root certificate), which is certificate of Issuer who has issued certificate to AD LDS Instance. Adldsserver.pmsnmdomain.com – is the Signed Certificate of AD LDS Instance.

    media/image72.png

  8. Once you receive the signed certificate from Certificate Authority. Type the below mentioned command.certreq -accept <received signed certificate file name>

    An example of the command is mentioned below.

    media/image73.png

  9. Open Command Prompt and Run as Administrator.
  10. In the command prompt, execute mmc command that opens a new mmc window.
  11. In the mmc window, go to File and select Add/Remove Snap-in option.

    media/image74.png

  12. In the Add or Remove Snap Ins window, select Certificates from the left side pane and click on Add button.
  13. Select Computer Account and click Next. Select Local Computer. Click Finish and then click OK.

    media/image75.png

  14. Extract Certificates > Personal > Certificates from the left side pane. All the certificates get listed in the right side pane.

    media/image76.png

  15. Open the Signed certificate which you have received from Certificate Authority.
  16. Once the certificate is opened, go to Details tab and click on Copy to File button.
  17. Click Next and select Yes, export the private key option.

    media/image77.png

  18. Click Next.

    media/image78.png

  19. Enter your password (double time) to assign to the Keystore and click Next.
  20. Save the .pfx file in the system in the same location where certificate request is created for easy identification.
  21. Click Next and click Finish.
  22. In the same mmc window, open File menu and select Add/Remove Snap-In option
  23. Select Certificates and click Add.

    media/image79.png

  24. Select Service Account.

    media/image80.png

  25. Select Local Computer, click Next.

    media/image81.png

  26. Select the Service Name / AD LDS Instance Name.

    media/image82.png

  27. Click Finish and then click OK. The following Add or Remove Snap-ins window appears.

    media/image83.png

  28. In mmc Certificates window, expand Certificates – Service (AD LDS Instance Name) on Local Computer. Add the AD LDS Signed Certificate in AD LDS Instance Name/Personal section.
  29. Click Next > Browse. Select the key store that you have created in previous step (file extension is .pfx) in File browser.
  30. Click Next. Enter the password of key store (entered while creating .pfx file).
  31. Click Next > Next > Finish.

    media/image84.png

    Once it is added, certificate is available as shown below.

    media/image85.png

  32. In the same way, add the AD LDS certificate’s Root certificate (for example, pmsnmdomain.com) in AD LDS Instance Name/Trusted Root Certificate Authorities.
  33. Add the AD LDS certificate’s Root certificate in AD LDS Instance Name/Trusted Publishers.
  34. Add the other end certificate (for example, Provisioning Manager application certificate) in AD LDS Instance Name/Trusted People. An example is shown below.

    media/image86.png

  35. Add the ownership to the added certificates to Network Service.
  36. Go to C:\ProgramData\Microsoft\Crypto\RSA\MachineKeys.
  37. Right click on each certificate where Lock like icon appears on the files.

    media/image87.png

  38. Open Properties and go to Security tab. Click Edit and then click Add. Enter Network Service.

    media/image88.png

  39. Enter the Network Service and select Users, Computer, and Service Accounts or Groups window.
  40. Give Read, Read & Execute permission > click OK > OK.

    media/image89.png

  41. In the same way, provide permissions to all certificates for Network Service user. When you give the permissions, all the Lock icons get disappeared.

    media/image90.png

  42. Restart AD LDS Instance. Test LDAPS for AD LDS by using the below command from PM installed server.

    openssl s_client -connect IPAddress of AD LDS:LDAPS port

    For example:

    openssl s_client -connect 192.168.26.129:53994

Parent topic: Prerequisite