Preparing your Windows Server for AD LDAPS access
We recommend using LDAPS for your Active Directory connection to ensure your user data is encrypted in transit on your network between your Active Directory server and your DrawBridge.
However, while Windows Active Directory Server listens on port 636, it will reject all requests unless a security certificate has been configured for it.
(It is Not nessesary to install an extra LDAPS function on your Windows Server to use the AD-LDAPS connection.)
Check if a security certificate has been configured
- Go to Start and open Run. Enter
mmc
and click Run - Under the
File
menu, clickAdd/Remove Snap-ins...
- In the wizard, under available snap-ins, select Certificates, and click Add, then OK
- For the Certificates Snap-in, select
Computer account
, and click Next - For the Select Computer options, ensure
Local Computer
is selected, and click Finish - In the tree view on the left, under Certificates, expand out the Personal directory. If this directory, or a Certificates sub-directory is empty, the AD server doesn't have a security certificate it can use for the LDAPS connection. Proceed with the Setup steps below.
Set up a new CA and issue a security certificate
- Go to Server Manager, and click Add Roles and Features
- Click Next
- Ensure
Role-based or feature-based installation
is selected, and click Next - Ensure
Select a server from the server pool
is selected, as well as a server in the Server Pool list, and click Next - Select the box for Active Directory Certificate Services, and click Next
- Don't select anything under Features, and click Next
- Read over comments in AD CS, and click Next
- Select Certification Authority in Role Services, and click Next
- Optionally select
Restart the destination server automatically if required
(or manually restart later), then click Install - After the installation is finished, click the link for Configure Active Directory Certificate Services on the destination server, and close the Add Roles and Features Wizard window.
- In the AD CS Configuration window, click Next to proceed with the credentials of the user you're signed-in as (must have Administrator permissions)
- Select Certification Authority under Role Services, and click Next
- Ensure
Enterprise CA
is selected, and click Next - Select
Root CA
, and click Next - Select
Create a new private key
, and click Next - Select a minimum of
SHA256
fort the hash algorithm, and click Next - Review the names suggested for the CA, and click Next
- Use the default validity period of 5 years, and click Next
- Review the database location, change if you wish, and click Next
- Review what will be performed, and click Configure
- It should report
Configuration Successful
, and you can close that window - Next, go to the Start Menu, open Run, and enter
certmpl.msc
and run it - In the Certificate Templates Console, right-click
Kerberos Authentication
, and clickDuplicate Template
-
Properties of new Template will appear. Make the following changes:
- General tab: set the Display Name to DrawBridge LDAPS
- General tab: select
Publish certificate in Active Directory
- Request Handling tab: select
Allow private key to be exported
- Subject Name tab: ensure
Build from this Active Directory information
is selected, as well as the checkbox forDNS name
- Click Apply and OK.
- Close the Certificate Templates Console
- Go to Start, and open Certification Authority
- Right-click on
Certificate Templates
, then underNew
, clickCertificate Templates to Issue
- In the Enable Certificate Templates wizard, select
DrawBridge LDAPS
and click OK - Close the Certificate Authority window
- Go to Start, open Run, and enter
mmc
, and Run - Under
File
, clickAdd/Remove snap-in
- In the Add/Remove Snap-in window, select Certificates, then
Add >
, then click OK - Select
Computer account
, and click Next - Select
Local Computer
, and then click Finish - In the tree view on the left, expand the Personal folder
- Under the Personal, right-click on
Certificates
, selectAll Tasks
, then clickRequest New Certificate...
- The Certificate Enrollment wizard will open, click Next
- Under the Certificate Enrollment Policy, ensure
Active Directory Enrollment Policy
is selected, and then click Next - Under Request Certificates, select DrawBridge LDAPS, and click Enroll
- The wizard should support
STATUS: Succeeded
, click Finish - That's it! If you opted to not automatically restart the server in step #9, restart the server now.