Enabling SSL in Active Directory allows clients to communicate securely with AD servers. This is also required to allow a user’s Active Directory password to be changed programmatically using LDAP. This article will show you how to install the Certificate Services in Windows 2003 to enable LDAP SSL in Active Directory.
Before beginning, make sure the Internet Information Server (IIS) is installed in your server.
Installing the Certificate Services
1. Click Start, select Control Panel and click Add or Remove Programs.
2. In the Add or Remove Programs window, click Add/Remove Windows Components, check the Certificate Services and click Next.
3. Click Next in the CA Type page.
4. Fill up the Common name for this CA and click Next.
5. Click Next in the Certificate Database Settings page.
6. The Certificate Services will now be installed.
7. Click Finish and restart your server.Configuring Automatic Certificate Request for Domain Controllers
1. Click Start, select Administrative Tools and click Domain Controller Security Policy.
2. In the Default Domain Controller Security Settings window, click the Public Key Policies folder.
3. Right click Automatic Certificate Request Settings, select New and click Automatic Certificate Request.
4. Click Next in the Automatic Certificate Request Setup Wizard.
5. Select Domain Controller in the Certificate Template page and click Next.
6. Click Finish and reboot your server.
7. Check if automatic certificate request worked by using the Certificate Authority app located in Start > Administrative Tools. Check the Issued Certificates folder if your server is there.Related Pages
***
Posted on 5/19/2008 and last updated on 1/15/2009
Filed under Active Directory , LDAP , SSL
March 18th, 2009 at 1:30 pm
Enable LDAP SSL with Active Directory in Windows 2003 – You’re missing a large portion of the guide.
It should be titled how to enable automatic certificate request!
March 19th, 2009 at 1:06 pm
Hi Sean,
What else is missing? I’ve been using the steps above to enable SSL in Active Directory and it is works.
I’ve used an SSL enabled Active Directory to synchronize with Fedora Directory Server and to change user password from Linux via LDAP and a Perl script.
May 2nd, 2009 at 7:30 am
You should explain that once a domain CA is installed, that information propagates throughout AD and domain controllers automatically begin to use SSL. Without knowing that, readers will just think that you’ve completed only a part of the config.
May 5th, 2009 at 11:25 pm
There seems to be the glossing over of a few key steps, such as how to choose CA Type and Common Name.
May 26th, 2009 at 11:36 pm
I cannot connect through SSL on WIN 2K3
May 28th, 2009 at 2:48 am
Hi Consultant,
I think Kyle explained it very well. I’m just starting out on advanced server configurations and was hoping to remotely connect to a Windows Server (2003+) AD to run queries. I suspect SSL was needed, although I was thwarted in my efforts when my attention was drawn on other projects. It would be nice if you could update this guide with a way to confirm that LDAP works on SSL
June 16th, 2009 at 2:49 pm
One way to test it would be to use the Ldap browser from Softerra with the correct connection settings, changing the port to 636.