By default all communications with LDAP servers (including Active Directory) are non-encrypted. This means any data (including credentials) will be sent in the clear. In order to protect your data and credentials you must configure your domain controller to allow SSL communications. In order to do this you must install an encryption certificate on the domain controller you wish to communicate with.
From the domain controller (Windows 2000/2003):
Install Microsoft Certificate Services - (Skip this step if you already have certificate services installed in your domain).
- From the Control Panel, select add/remove programs. Next select add/remove windows components and finally check the box marked certificate services. Click ok to accept that you should not change the computer name once the certificate service has been installed.
- Select Enterprise root CA. Click Next.
- Enter a name for this certificate authority. A good example would be your company/organization name: Acme CA.
- After the certificate authority certificates have been generated, select a location for the log files. Click Next to continue the configuration and install necessary dependant software.
Configure domain controller to request an encryption certificate.
- Select Start/Administrative Tools/Domain Controller Security Policy
- Right Click on Automatic Certificate Request Settings and select New/Automatic Certificate Request.
- Click next to begin the wizard.
- Select Domain Controller and click Next.
- Last click Finish to confirm your settings.
- You will see a new entry on the right side of the panel.
- To confirm that the task was completed correctly you should see an Event ID: 19 (AutoEnrollement) in the Application Eventlog.
- LDAP SSL port 636 (Domain Controller) and 3269 (Global Catalog) will now respond to requests.
|
