http://vcloud-lab.com/entries/windows-2016-server-r2/configuring-secure-ldaps-on-domain-controllerComments on post: Configuring Secure LDAPs on Domain ControllerVivitiCMS2023-09-29T18:54:22+05:30Virtual Geektag:vcloud-lab.com,2021-03-19:/entries/111591#comment_159295Comment by Jason2021-03-19T22:25:38+05:302021-03-19T22:25:38+05:30Thanks for this well written guide! As of today, on server 2019, all I had to do was enable CA role then push out the root cert with GPO. The DCs automatically enabled ldaps from theretag:vcloud-lab.com,2021-04-21:/entries/111591#comment_159660Comment by Daniel Bragg2021-04-21T21:49:25+05:302021-04-21T21:49:25+05:30This instructional post is as good as having a network tech standing beside me as I walk though this complicated journey. Thank you so much for this!
In Certificate Enrollment, my new LDAPs certificate is showing as Unavailable. "The specified role was not configured for the application." Can you assist me in determining what this means?
Just one minor improvement. For your paragraph:
"Certificate templates is configured, its time to use it. Now new SSL certificate need to be generated on Active Directory Domain Controller. Search and open mmc.exe..."
It would be helpful to make it clear that this step ("open mmc.exe") and all steps that follow are to be performed on the server you are wanting to certify, not the Root CA.
tag:vcloud-lab.com,2021-04-23:/entries/111591#comment_159678Comment by Janvi2021-04-23T10:42:49+05:302021-04-23T10:42:49+05:30thanks Dan to write us and feeback. I replyied to you on your email.tag:vcloud-lab.com,2021-04-29:/entries/111591#comment_159708Comment by Brett2021-04-29T22:34:36+05:302021-04-29T22:34:36+05:30I cannot say thank you enough, as someone who's kryptonite is certificates, this article has been a revelation. From the bottom of my heart thank you sir!tag:vcloud-lab.com,2021-06-04:/entries/111591#comment_160028Comment by Peter2021-06-04T09:54:52+05:302021-06-04T09:54:52+05:30Great write up. Thank you. May I know if this step will force all 389 to 636. My objective is to remain 389 and enable 636. slowly transition the application to 636. Then only disable 389. Is this step still allows 389?tag:vcloud-lab.com,2021-08-07:/entries/111591#comment_160513Comment by Billay2021-08-07T01:50:47+05:302021-08-07T01:50:47+05:30I'm so thankful for this help. It was exactly the answer I needed!tag:vcloud-lab.com,2021-08-20:/entries/111591#comment_160725Comment by Ari S2021-08-20T11:24:36+05:302021-08-20T11:24:36+05:30HI ...I'm so thankful for this help. superb :)tag:vcloud-lab.com,2021-09-12:/entries/111591#comment_161182Comment by James2021-09-12T10:24:38+05:302021-09-12T10:24:38+05:30Thanks for the walkthrough. Worked well :)tag:vcloud-lab.com,2022-01-06:/entries/111591#comment_162384Comment by TM2022-01-06T12:03:53+05:302022-01-06T12:03:53+05:30No, that doesn't happen unless you enable Enforce Require LDAP Signing via a GPO. Of course, MSFT is planning to enforce that via an OS update in due course, only delayed due to Covid. So good to get ahead now, if you haven't already. https://support.microsoft.com/en-us/topic/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows-ef185fb8-00f7-167d-744c-f299a66fc00atag:vcloud-lab.com,2022-04-04:/entries/111591#comment_163263Comment by Adrian2022-04-04T02:54:31+05:302022-04-04T02:54:31+05:30Hello, I have problems when try to request on the AD for the templates (Kerberos authentication or Domain controller. Allways get the error RPC server unavailable error 0x800706BA but the communication fron the SUB CA Cert and the AD is OK, and can be done.tag:vcloud-lab.com,2022-08-25:/entries/111591#comment_163810Comment by rk2022-08-25T23:25:08+05:302022-08-25T23:25:08+05:30thank you so much for this guide, unfortunately I am getting this (server 2016):
LDAP over Secure Sockets Layer (SSL) will be unavailable at this time because the server was unable to obtain a certificate.
Additional Data
Error value:
8009030d The credentials supplied to the package were not recognized
what did I miss??tag:vcloud-lab.com,2023-02-09:/entries/111591#comment_166427Comment by Majid2023-02-09T17:43:01+05:302023-02-09T17:43:01+05:30Hi,
I have few questions.
Why did you export the cert?
Why do we need to move it into Service Account Certificate?
Why did you copy Kerberos Authentication template?tag:vcloud-lab.com,2023-02-17:/entries/111591#comment_166697Comment by TM2023-02-17T10:56:09+05:302023-02-17T10:56:09+05:30I don't know if I've made these observations before, but here goes:
1. You don't need "Publish this certificate in AD" in the template - this option should only be used for user certs, and only for user S/MIME and EFS certs.
2. Don't check the "export private key", you can get them to auto-enroll. On the Security tab, check Enroll and AutoEnroll by the Domain Controllers group.
3. In Superseded Templates, specify the legacy Domain Controller, Domain Controller Authentication and Kerberos Authentication templates. You can do this later if you're feeling nervous, but it should be done when you've validated it works.
4. You do not need the UPN and SPN in the Subject Name for LDAPS. All that's required is DNSName. The DCs will request a cert with their own FQDN, the domain FQDN and the domain NETBIOS name as SANs anyway.
5. Once the template is published, assuming you have group policy configured to automatically enroll certs in the Domain Controllers policy (or one that applies to the DC), do GPRefresh and the DCs will enroll their own certs into the local machine store. If there's no other cert with the Server OID, it'll become the LDAPS cert by default. But I'd definitely recommend continuing to add it to the NTDS store as well. There's no harm with leaving the cert in the Local Machine store.
Microsoft has pretty specific instructions for configuring this template for Windows Hello (which includes LDAPS - LDAPS by itself only needs a valid Server cert), including the autoenroll group policy. Sadly, they don't give us a more simple method of binding it to NTDS. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-validate-pki#configure-and-deploy-certificates-to-domain-controllerstag:vcloud-lab.com,2023-09-29:/entries/111591#comment_174849Comment by david2023-09-29T18:54:22+05:302023-09-29T18:54:22+05:30i can go ldaps between domain computers, but a non domain computer (same network) cannot connect