How do I set up LDAP SSL and Certificates in AD LDS (formerly ADAM)?2017-04-25 16:31:56
AD LDS ADAM LDAP SSL UnitySync
The following Microsoft FAQ page includes instructions for a configuring Certification Authority (CA) and SSL on ADAM. Search the page for the text SSL to find the Q/A section on this topic.
Below we have elaborated on the instructions found in this FAQ to outline the process to install the certificate, set permissions for the Service Account and test using LDP.
Question: How do I install certificates for use with ADAM and SSL
Answer: To enable SSL-based encrypted connections to ADAM, you must have a certification authority (CA) in place to issue and manage certificates. You can set up a CA on a computer running Microsoft Windows 2000 Server or Windows Server 2003. For more information about installing and using a CA, see the Certificate Services topic in the Windows Server 2003 Help.
The general steps for setting up SSL for ADAM are as follows:
- Install a certificate from a trusted CA onto the computer running ADAM. The certificate must be marked for server authentication. If you want to use the certificate for applications other than ADAM, you must store this certificate in the local computer certificate store. Otherwise, you can store the certificate in the ADAM service store. When you request the certificate, specify the fully qualified domain name (FDQN) of the computer on which ADAM is running as the identifying name for the certificate.
:NOTE: If Internet Information Services (IIS) is running on the same computer as ADAM, you can verify that the certificate is properly installed by attempting an SSL connection to IIS first, before attempting an SSL connection to ADAM.
The certificate must be a self signed certificate for the ADAM server (this is the same as an https certificate).
- To install the certificate:
- Copy the certificate file to the ADAM server.
- Execute Start > Run > MMC (The Microsoft Management Console)
- In the Console window, Click File - ADD/Remove Snap-In
- In the Add/Remove Snap-in Window, click ADD.
- In the Add Standalone Snap-ins window, select “Certificates”, click ADD.
- In the Certificate Snap-in window, select “Service Account”, click Next.
- In the Select Computer window, leave the default of “Local Computer”, click Next.
- In the Certificate Snap-In window, select the ADAM instance (Service) to associate this key to, then click Finish.
- In the Add Standalone Snap-In window, click Close.
- In the Add/Remove Snap-in window, click OK.
- In the Console window, Right-Click the Personal instance, select All Tasks, select Import.
- In the Import Wizard, click Next.
- In the Certificate Import Wizard window, Click Browse and select the SSL certificate you copied to this ADAM server, click Next.
- In the Certificate Import Wizard window, leave the default Personal Store, click Next.
- In the final window, click Finish.
- In the Import successful window, click OK.
- In the Console window, expand the Personal folder and click Certificates. You should see the newly imported certificate.
Before you attempt to use the certificate with ADAM, you must ensure that the service account under which ADAM is running has Read access to the certificate that you installed.
NOTE: To determine the appropriate certificate on which to set permissions for the ADAM service account, run certutil -store my from a command prompt. The Key Container value that is shown for each certificate matches the file name of the certificate as it appears in the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys directory.
- To apply permissions to the \MachineKeys directory:
- Go to My Computer, then C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
- Right click “Machine Keys” folder and click Properties.
- Click the Securities tab.
- Click Add.
- Enter the object name to select: NETWORK SERVICE (verify with Check Names)
- Click OK.
- Verify READ access is enabled.
- Click Advanced.
- Enable Replace permission entries on all child objects with entries shown here that apply to child objects.
- Security Warning do you wish to continue, Click Yes.
- Click OK to close the Properties window.
- You can verify Read permissions by selecting a key, Right click and Properties.
- Restart the ADAM service.
To test the certificate with ADAM, run Ldp.exe on the computer running ADAM and connect to the local ADAM instance using SSL. For information about LDP, see the ADAM Administrators Guide. To open the ADAM Administratos Guide, click Start, point to Programs, point to ADAM, and then click ADAM Help.
NOTE: When you use LDP to make an SSL connection to ADAM, you must specify the FQDN of the computer running ADAM. FQDNs are required, according to the SSL standard.
- To test the certificate using LDP:
- Execute Start > Run > LDP
- Click Connection > Connect
- Server: Localhost
- Port: enter the ldap ssl port
- check the SSL box.
- Click OK to run the test.
To connect to ADAM from a client over SSL, the client must trust the certificate on the computer running ADAM. This trust can be achieved by adding a certificate from the CA to the Trusted Root Certification Authorities store on the client.
Use LDP from a client to make an SSL connection to the ADAM instance.
When you use LDP to make an SSL connection to ADAM, you must specify the fully qualified domain name (FQDN) of the computer running ADAM. FQDNs are required, according to the SSL standard.
On client computers running Windows XP Professional that need to establish SSL connections to an ADAM instance, you must install the hotfix that is described in article 817583, Active Directory Services Does Not Request Secure Authorization Over an SSL Connection, in the Microsoft Knowledge Base.