Recipe 14.1 Enabling SSL/TLS
14.1.1 Problem
You want to enable
SSL/TLS
access to your domain controllers so clients can encrypt LDAP traffic
to the servers.
14.1.2 Solution
14.1.2.1 Using a graphical user interface
Open the Control Panel on a domain controller. Open the Add or Remove Programs applet. Click on Add/Remove Windows Components. Check the box beside Certificate Services and click Yes to verify. Click Next. Select the type of authority you want the domain controller to be
(select Enterprise root CA if you are unsure) and click Next. Type the common name for the CA, select a validity period, and click
Next. Enter the location for certificate database and logs and click Next. After the installation completes, click Finish. Now open the Domain Controller Security Policy GPO. Navigate to Computer Configuration Windows Settings
Security Settings Public Key Policies. Right-click on Automatic Certificate Request Settings and select New
Automatic Certificate Request. Click Next. Under Certificate Templates, click on Domain Controller and click
Next. Click Finish. Right-click on Automatic Certificate Request Settings select New
Automatic Certificate Request. Click Next. Under Certificate Templates, click on Computer and click Next. Click Finish.
14.1.3 Discussion
After domain controllers obtain certificates, they open up ports 636
and 3289. Port 636 is for LDAP over SSL/TLS and port 3289 is used for
the global catalog over SSL/TLS. See Recipe 14.2 for more information on how to query a domain
controller using SSL/TLS.
14.1.4 See Also
MS KB 247078 (HOW TO: Enable Secure Socket Layer (SSL) Communication
Over LDAP For Windows 2000 Domain Controllers), MS KB 281271 (Windows
2000 Certification Authority Configuration to Publish Certificates in
Active Directory of Trusted Domain), and MS KB 321051 (How to
Enable LDAP over SSL with a Third-Party Certification Authority)
|