Follow meEnabling SSL in Active Directory allows clients to communicate securely with AD servers. This is also required to allow a user’s Active Directory password to be changed programmatically using LDAP.
This article will show you how to install the Certificate Services in Windows 2003 to enable LDAP SSL in Active Directory.
Before beginning, make sure the Internet Information Server (IIS) is installed in your server.
Installing the Certificate Services
1. Click Start, select Control Panel and click Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components, check the Certificate Services and click Next.
3. Click Next in the CA Type page.
4. Fill up the Common name for this CA and click Next.
5. Click Next in the Certificate Database Settings page.
6. The Certificate Services will now be installed.
7. Click Finish and restart your server.Configuring Automatic Certificate Request for Domain Controllers
1. Click Start, select Administrative Tools and click Domain Controller Security Policy.
2. In the Default Domain Controller Security Settings window, click the Public Key Policies folder.
3. Right click Automatic Certificate Request Settings, select New and click Automatic Certificate Request.
4. Click Next in the Automatic Certificate Request Setup Wizard.
5. Select Domain Controller in the Certificate Template page and click Next.
6. Click Finish and reboot your server.Check for Issued Certificate
1. Click Start, select Administrative Tools and click Certification Authority. This will launch the Certification Authority application.
2. In Certification Authority, click the + sign and check the Issued Certificates folder if your server has been issued a certificate.Make sure your server has been issued a certificate, otherwise SSL communication will not work.Related Pages
Visit the forum to ask for help or to give a comment.
***
Posted on 5/19/2008 and last updated on 4/23/2011
Filed under Active Directory , LDAP , SSL/TLS
March 18th, 2009 at 1:30 pm
Enable LDAP SSL with Active Directory in Windows 2003 – You’re missing a large portion of the guide.
It should be titled how to enable automatic certificate request!
March 19th, 2009 at 1:06 pm
Hi Sean,
What else is missing? I’ve been using the steps above to enable SSL in Active Directory and it is works.
I’ve used an SSL enabled Active Directory to synchronize with Fedora Directory Server and to change user password from Linux via LDAP and a Perl script.
May 2nd, 2009 at 7:30 am
You should explain that once a domain CA is installed, that information propagates throughout AD and domain controllers automatically begin to use SSL. Without knowing that, readers will just think that you’ve completed only a part of the config.
May 5th, 2009 at 11:25 pm
There seems to be the glossing over of a few key steps, such as how to choose CA Type and Common Name.
May 26th, 2009 at 11:36 pm
I cannot connect through SSL on WIN 2K3
May 28th, 2009 at 2:48 am
Hi Consultant,
I think Kyle explained it very well. I’m just starting out on advanced server configurations and was hoping to remotely connect to a Windows Server (2003+) AD to run queries. I suspect SSL was needed, although I was thwarted in my efforts when my attention was drawn on other projects. It would be nice if you could update this guide with a way to confirm that LDAP works on SSL
June 16th, 2009 at 2:49 pm
One way to test it would be to use the Ldap browser from Softerra with the correct connection settings, changing the port to 636.
July 10th, 2009 at 2:16 am
These steps DO work. I was able to very quickly get SSL running on our AD server and connect via 636 using Softerra LDAP clients and our applications. THANK YOU for posting this!
July 14th, 2009 at 6:48 pm
to confirm it’s working, LDP.exe from the command line?
works for me!