Welcome back to our two-part series on how to enable secure LDAP (LDAPS) communications between client/server applications on Windows Server 2008/2012 domain controllers. In part one, I went over what you should know about LDAPS, your options, and prerequisites. After we understood the concepts of why, where and when we should be looking to use LDAPS, let’s move on to the actual configuration.
Enabling Secure LDAP: Configuring LDAPS
1. Create the right certificate template to issue
First, we need to make sure that your CA is allowed to issue the correct types of certificates. Remember, these must contain the Server Authentication OID 1.3.6.1.5.5.7.3.1.
I’ve described the steps you need to take in order to create such a template in my Creating a Digital Certificate Template for the purpose of Server Authentication in Windows Server 2008/R2/2012 article.
2. Request a certificate for server authentication
To request a certificate from your LDAPS server, do the following on each DC that requires LDAPS connections:
- In Start, type MMC, and then press Enter. If User Account Control prompts it, go ahead and ensure it displays the action you want. After that, select Yes.
- In the MMC console that opens, click File and then click Add/Remove Snap-in.
- Under Available Snap-ins, in Add or Remove Snap-ins, go ahead and select Certificates, and then click Add.
- In the Certificates snap-in, select Computer account and then click Next.
Note: If you plan to have more than one digital certificate for that DC, and if you are using Windows Server 2008/R2/2012, please read this following article BEFORE you proceed: The issue with Active Directory Domain Services (NTDSPersonal) certificate store
If you only plan to have one digital certificate on that DC, please proceed to the next step.
- In Select Computer, select Local. Once you have the correct computer selected, click OK and then click Finish.
- In Add or Remove Snap-ins, select OK.
- In the console tree, expand Certificates (<computer>), right-click Certificates, click All Tasks, and then click Request New Certificate. Note: You cannot do this if you’re connected to a remote DC.
In Certificate Enrollment, click Next.
In the Select Certificate Enrollment Policy, choose Active Directory Enrollment Policy (default) and click Next.
- Select a certificate that allows for server authentication. You may want to use a custom certificate as described in Publishing a Certificate that Supports Server Authentication. Now go ahead and click Enroll.
- The process may take a few seconds to complete. Click Finish in the Certificate Enrollment dialog box. Now you have a digital certificate for the first DC!
- To check your shiny new certificate, in the results pane double-click the certificate that you received to open Certificate properties.
Click the Details tab. In the Field column, go ahead and select Enhanced Key Usage. You’ll want to confirm that the Server Authentication (1.3.6.1.5.5.7.3.1) is listed.
- Repeat this on all the DCs on which you need to enable LDAPS.
Test the LDAP over a TLS Connection
To test if LDAP over TLS works properly, use the ldp.exe tool.
Note: If ldp.exe is not available on your system, you will need to install the Active Directory Directory Services (AD-DS) management tools from the Windows Remote Server Administration Kit (RSAT):
Download Remote Server Administration Tools for Windows 7 with SP1Download Remote Server Administration Tools for Windows 8
- Open a command prompt and type ldp. Click Enter. The LDP application window appears.
- Select Connection, then Connect. The Connect dialog box appears.
- In the Server text box, type the name of your AD server. For this example, type the fully qualified domain name (FQDN) of the DC, just as it appears in the Subject Alternative Name (SAN) of the Digital Certificate.
- In the Port text box, type 636.
- Check the box for SSL.
- Click OK. Now, without the above procedure you will not be able to connect.
After the procedure, note that “Host supports SSL, SSL cipher strength = 128 bits”.
Note: If you try to connect to the right DC but do not use the same FQDN as was listed inside the issued certificate (for example, using the IP address instead), you will not be able to connect using LDAPS.
- Select the Connection menu, click Bind, and then click OK.
The command output should display the user name and domain name that you used for binding, if LDAPS is configured properly. You can start browsing through the AD tree.
If you use the command: netstat -no | find “:636”, you will find the connection to the DC.
Enjoy.
Last week I faced the easy task to activate LDAPs on Windows Server 2008 R2 domain controllers. One of the applications required an encrypted LDAP connection, because password changes are done via LDAP.
I thought: Hey, that’s easy – just create a server certificate for the DC, import the certificate for the computer account under ‘personal’ via MMC – and done.
Apparently it is not that easy with Windows Server 2008 / 2008 R2 …
To establish LDAP over SSL, I did what I mentioned above.
I created a server certificate for the DC. Then tried to import it to the “personal” settings of the computer account.
Port 636 for LDAPs was activated on the DC with the installed server certificate.
A Telnet connection was also possible.
But, unfortunately a LDAPs connection with the application server could not be achieved
(Yes, the root certificate was installed on the application server).
After researching the problem I found out that a change was introduced with Windows Server 2008 / 2008 R2:
The server certificate has to be imported into the ‘AD DS personal store’.
Import server certificate to AD DS personal store
Here is a step by step manual for the import of the certificate:
- MMC Console / Add or Remove Snap-Ins / Certificates
- Select Computer: Local Computer
- Select Service Account: Active Directory Domain Services
- The certificate is being imported into the Store ‘NTDSPersonal’
Link to the Microsoft Technet article: LDAP over SSL
Article created: 07.04.2014
Applies to Windows Server 2003, Windows Server 2003 R2, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Server 2012 R2
Table of Contents
- Reasons for Enabling LDAPS
- Enabling LDAPS for domain controllers using a single-tier CA hierarchy
- Enabling LDAPS for domain controllers using a multi-tier CA hierarchy
- Publishing a Certificate that Supports Server Authentication
- Requesting a Certificate for Server Authentication
- Enabling LDAPS for Client Authentication
- Active Directory Domain Services Certificate Storage
- Exporting the LDAPS Certificate and Importing for use with AD DS
- Verifying an LDAPS connection
- Troubleshooting LDAP over SSL
- Additional Information
Reasons for Enabling LDAPS
By default, LDAP communications between client and server applications are not encrypted. This means that it would be possible to use a
network monitoring device or software and view the communications traveling between LDAP client and server computers. This is especially problematic when an LDAP simple bind is used because credentials (username and password) is passed over the network
unencrypted. This could quickly lead to the compromise of credentials.
Note |
---|
Only LDAP data transfers are exposed. Other authentication or authorization data using Kerberos, SASL, and even NTLM have their own encryption systems. The Microsoft Management Console (mmc) snap-ins, since Windows 2000 SP4 have used LDAP sign and seal or Simple Authentication and Security Layer (SASL) and replication between domain controllers is encrypted using Kerberos. |
Reasons for enabling Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) / Transport Layer Security (TLS) also known as LDAPS include:
- Some applications authenticate with Active Directory Domain Services (AD DS) through simple BIND. As simple BIND exposes the users’ credentials in clear text, use of Kerberos is preferred. If simple BIND is necessary, using SSL/TLS to encrypt the authentication
session is strongly recommended. - Use of proxy binding or password change over LDAP, which requires LDAPS. (e.g.
Bind to an AD LDS Instance Through a Proxy Object)
- Some applications that integrate with LDAP servers (such as Active Directory or Active Directory Domain Controllers) require encrypted communications. To encrypt LDAP communications in a Windows network, you can enable LDAP over SSL (LDAPS).
Caution |
---|
Before you install a certification authority (CA), you should be aware that you are creating or extending a public key infrastructure (PKI). Be sure to design a PKI that is appropriate for your organization. See PKI Design Brief Overview for additional information. |
Enabling LDAPS for domain controllers using a single-tier CA hierarchy
LDAP over SSL/TLS (LDAPS) is automatically enabled when you install an Enterprise Root CA on a domain controller (although installing a CA on a domain controller is not a recommended practice). You can see examples of this in the
Test Lab Guide Base Configuration for Windows Server 2008 R2,
Building an Enterprise Root Certification Authority in Small and Medium Businesses, and
Install and configure Microsoft Active Directory Certificate Services (AD CS) using Windows Server 2008 R2.
Enabling LDAPS for domain controllers using a multi-tier CA hierarchy
When you have a multi-tier (such as a two-tier or three-tier) CA hierarchy, you will not automatically have the appropriate certificate for LDAPS authentication on the domain controller. In order to enable LDAPS in a multi-tier CA hierarchy, you must request
a certificate that meets the following requirements:
- Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID):
1.3.6.1.5.5.7.3.1 - The Subject name or the first name in the Subject Alternative Name (SAN) must match the
Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com. For more information, see
How to add a Subject Alternative Name to a secure LDAP certificate.
- The host machine account must have access to the private key.
Publishing a Certificate that Supports Server Authentication
- On the issuing Certification Authority computer, open the Certificates console or Certsrv console. To open Certsrv, click
Start. Type certsrv.msc and then click
OK. - Ensure that Certification Authority is expanded as well as the name of the certification authority.
- Right-click Certificate Templates and then click Manage.
- In the Certificate Templates Console, right-click Kerberos Authentication and then select
Duplicate Template. You don’t have to use the Kerberos template. You can create your own or use one of the existing templates that has Server Authentication as a purpose, such as
Domain Controller Authentication, Domain Controller,
Web Server, and Computer. Important: You should be planning on having
only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of
Server Authentication. If you have legitimate reasons for using more than one, you may end up having certificate selection issues, which is discussed further in the
Active Directory Domain Services Certificate Storage. - On the Duplicate Template dialog box, leave the default selected
Windows Server 2003 Enterprise selected and then click OK. - The Properties of New Template appear. Ensure that settings are as you want them to be for this certificate template. Pay close attention to ensure that the
Template display name is set to an appropriate name along with the following settings:- Validity and Renewal periods are set according to your organization’s security policy
- Key lengths are appropriate
- Select whether you want to place the certificate in Active Directory
- Subject Name tab: DNS name and Service principal name (SPN) are selected
- If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.
- Click OK.
- Return to the Certificates or Certsrv console and in the details pane of
Certificate Templates, right-click an open area of the console, click
New, and then click Certificate Template to Issue. - In the Enable Certificate Templates dialog box, select the name of the new template you created and then click
OK.
Requesting a Certificate for Server Authentication
To request a certificate from your LDAPSL server, do the following on each domain controller that requires LDAPS connections:
- Open the Certificates console. Click Start, type
MMC, and then press ENTER. If prompted by User Account Control, ensure it displays the action you want and then click
Yes. - In the MMC console that opens (typically Console1), click File
and then click Add/Remove Snap-in - In Add or Remove Snap-ins under Available Snap-ins, click
Certificates, and then click Add. - In Certificates snap-in select Computer account and then click
Next. - In Select Computer, if you are managing the LDAP server requiring the certificate, select
Local. Otherwise, select Another computer and click
Browse to locate the LDAP server requiring the certificate. - Once you have the correct computer selected, click OK and then click
Finish. - In Add or Remove Snap-ins, click OK.
- In the console tree, expand Certificates (<computer>)
- right click Certificates, click All Tasks, and then click
Request New Certificate. - In Certificate Enrollment, click Next.
- In the Select Certificate Enrollment Policy, typically you would leave the default of
Active Directory Enrollment Policy. If you have a different policy that you should follow, then select that one and click
Next. - Select a certificate that allows for server authentication, Kerberos works, but you can use a custom certificate as described in Publishing a Certificate that Supports Server Authentication. Click
Enroll. - On the Certificate Enrollment dialog box, click Finish.
- In the results pane double-click the certificate that you received to open the
Certificate properties dialog box. - Click the Details tab, in the Field column, select Enhanced Key Usage. Confirm that
Server Authentication (1.3.6.1.5.5.7.3.1).
For other step-by-step examples requesting a certificate for server authentication and implementing LDAP over SSL (LDAPS), see the following articles:
- Request a computer certificate for server authentication — Windows
Server 2003, 2003 R2 instructions - How to enable LDAP over SSL with a third-party Certification Authority — Windows Server 2000, 2003, 2003 R2, 2008, 2008 R2 updated instructions
- Appendix A: Configuring LDAP over SSL Requirements for AD LDS — Windows Server 2008 and Windows Server 2008 R2 instructions
Enabling LDAPS for Client Authentication
Enabling LDAPS on the client is not necessary to protect credentials passed from the client to the server when LDAPS is already enabled on the server. This just allows the client to actually authenticate itself to the server — an extra layer of protection to
ensure that the client connecting as COMPUTER_X is actually COMPUTER_X and not some other computer trying to authenticate with COMPUTER_X credentials. The client must be using a certificate from a CA that the LDAP server trusts. Client certificates and AD
DS accounts are mapped using altSecurityIdentities, which can be done through various methods. For more information on those methods, see
HowTo: Map a user to a certificate via all the methods available in the altSecurityIdentities attribute. Certificates are presented to the server during the Transport Layer Security (TLS) key exchange (described in paragraph 7.4 of
RFC 2246). To enable LDAPS authentication for the client, ensure the certificate is placed in the personal store for the user account.
Active Directory Domain Services Certificate Storage
When a certificate is selected from the local machine store (as in
CertEnumCertificatesInStore) the first valid certificate that can be used for Server Authentication (OID: 1.3.6.1.5.5.7.3.1) is returned for use. In cases where customers have multiple certificates valid for Server Authentication in the LDAP server’s (e.g.
AD DS domain controller,
AD LDS, or
ADAM server) local computer certificate store, may see that a different certificate than the one they want is used for LDAPS communications. The best resolution to such an issue is to remove all unnecessary certificates from the local computer certificate
store and have only one certificate that is valid for server authentication.
However, if there is a legitimate reason that two or more certificates and a customer using at least Windows Server 2008 LDAP servers, the Active Directory Domain Services (NTDSPersonal) certificate store can be used for LDAPS communications.
Important There are several significant details to know before you implement the use of the Active Directory Domain Services certificate store.
- Automatic certificate enrollment (auto-enrollment) cannot be utilized with certificates in the NTDSPersonal certificate store.
- Current command line tools do not allow certificate management of the NTDSPersonal certificate store.
- Certificates should be imported into the store, and not moved (using drag and drop) via Certificates console (MMC)
- Each LDAP server will require its own certificate in order to use this option, but it is only necessary to use this option on a server that has multiple certificates with the purpose of Server Authentication in the local certificates store. The best solution
is to have only one certificate in the computer’s personal certificate
Exporting the LDAPS Certificate and Importing for use with AD DS
The following steps will demonstrate how to export an LDAPS enabled certificate from a domain controller computer’s local certificate store to the Active Directory Domain Services service certificate store (NTDSPersonal). You will have to perform this step
for each domain controller that has multiple certificates with the enabled use of Server Authentication. These certificates will have to be manually renewed when they expire and only works starting with Windows Server 2008 domain controllers, as that was the
first Windows Server operating system release in which the NTDS was separated out as its own service.
- Click Start, type mmc and then click
OK. - Click File and then click Add/Remove Snap-in.
- Click Certificates and then click Add.
- In Certificates snap-in select Computer account and then click
Next. - In Select Computer, if you are working at the LDAP server requiring the certificate, select
Local. Otherwise, select Another computer and click
Browse to locate the LDAP server requiring the certificate. - Once you have the correct computer selected, click OK and then click
Finish.In Add or Remove Snap-ins, click OK.
- In the console tree, expand Certificates (<computer>)
- In the certificates console of a computer that contains a certificate that can be used for Server Authentication, right-click the certificate, click
All Tasks, and then click Export. - On the Certificate Export Wizard welcome screen, click
Next. - On the Export Private Key screen, select Yes, export the private key and then click
Next. If you don’t have the option to export the private key, then the certificate template did not allow the exporting of the private key (seePublishing a Certificate that Supports Server Authentication).
- On the Export File Format screen, you should select
Export all extended properties. The other selections are optional. - On the Password screen, enter a password that you want to be used when the certificate is imported. You will have to type the password twice: once in the
Password box and then again in the Type and confirm password (mandatory) box. Then, click
Next. - On the File to Export screen, enter a path, file name, and .pfx file extension in the
File name box and then click Next. - Confirm the settings on the completion screen and then click Finish. You should see a pop-up message indicating that the export was successful. Click
OK. - Click File and then click Add/Remove Snap-in.
- Click Certificates and then click Add.
- Select Service account and then click Next.
- In the Select Computer dialog box, ensure that you target the appropriate computer. If you are running the Microsoft Management Console (MMC) and want to target the local computer, you can leave the default selection of
Local computer. Otherwise, select Another computer and then use the
Browse button to select the appropriate computer. Then click
Next. - Select Active Directory Domain Services and then click
Finish. - On the Add or Remove Snap-ins dialog box click OK.
- Expand Certificates — Services (Active Directory Domain Services) and then click
NTDSPersonal. - Right-click NTDSPersonal, click All Tasks, and then click
Import. - On the Certificate Import Wizard welcome screen, click
Next. - On the File to Import screen, click the Browse, and then locate the certificate file that you exported previously.
- On the Open screen, ensure that Personal Information Exchange (*pfx,*.p12) is selected as the file type and then navigate the file system to locate the certificate you exported previously and then click that certificate.
- Click Open and then click Next.
- On the Password screen enter the password you set for the file and then click
Next. - On the Certificate Store page, ensure that Place all certificates in the following store is selected and reads
Certificate store: NTDSPersonal and then click Next. - On the Certificate Import Wizard completion screen, click
Finish. You should then see a message that the import was successful. Click
OK. - In the Navigation pane, under NTDSPersonal, click Certificates
- In the details pane, right-click the certificate you imported and then click
Open. - Click Details and then click Enhanced Key Usage, you should see that
Server Authentication (1.3.6.1.5.5.7.3.1) is one of the purposes of the certificate and then click
OK.
Verifying an LDAPS connection
After a certificate is installed, follow these steps to verify that LDAPS is enabled:
- Start the Active Directory Administration Tool (Ldp.exe)
- To use LDP.EXE on Windows Server 2003, see
LDAP Overview. - To use LDP.EXE on Windows XP, you must download and install
Windows XP Service Pack 2 Support Tools. - For Windows Vista, Windows 7, or non-domain controller Windows Server 2008, or Windows Server 2008 R2 computers, see
Remote Server Administration Tools (RSAT) for Windows Vista, Windows 7, Windows Server 2008, and Windows Server 2008 R2
- To use LDP.EXE on Windows Server 2003, see
- On the Connection menu, click Connect.
- Type the name of the LDAP server (e.g. domain controller or AD LDS/ADAM server) to which you want to connect.
- Type 636 as the port number.
- Click OK.
Troubleshooting LDAP over SSL
When you have issues with LDAPS, there are several different things that can be wrong. One of the best walkthrough documents regarding troubleshooting LDAPS is on the Ask DS Blog in which a Senior Escalation engineer walks through verification and troubleshooting:
Troubleshooting LDAP over SSL. There is only one Event ID that is directly related to LDAP over SSL, which is Event 1220, expanded upon in the destination of the link in the list below. The rest of the links are related to LDAP signing. LDAP signing does
not encrypt the communications traveling between the LDAP server and client. LDAP signing verifies the identity of the client attempting an LDAP bind and helps to mitigate the chance of replay and man-in-the middle attacks. For more information on LDAP signing,
see LDAP Signing
and
How to enable LDAP Signing in Windows Server 2008.
- Event ID 1220 — LDAP over SSL
- Event ID 2886 — LDAP signing: is logged one each time the domain controller is started, if you do not have signing required
enabled on your domain controller. - Event ID 2887 — If signing required is not enabled, this event keeps a count of how many unsigned binds occurred in the
previous 24 hours. The event is logged every 24 hours. - Event ID 2888 — If signing required is enabled, then this even keeps a count of how many unsigned LDAP binds occurred in the previous
24 hours. Since LDAP signing is required, the binds would be rejected. This is a notice to administrators to investigate the client computers that are trying to bind without signing. - Event ID 2889- Administrators can enable this event to to help identify client computers that are attempting to bind without
signing. This event is logged with the IP address and the bind identity of the client each time an unsigned bind is performed or attempted.
Additional Information
- HowTo: Map a user to a certificate
via ll the methods available in the altSecurityIdentities attribute - WebSphere to Active Directory over SSL
- How to enable LDAP over SSL with a third-party certification authority
- Installing and configuring an Enterprise Root CA on Windows Server 2003
- Implementing and Administering Certificate Templates in Windows Server 2003
- Implementing and Administering Certificate Templates
- Windows 7/2008 Kerberos Default Encryption and Windows
2003/2000 - Install a SSL certificate on your domain controller
- Appendix A: Configuring LDAP over SSL Requirements for AD LDS
- Configuring the JSS to Use LDAP Over SSL When Authenticating with Active Directory
- Windows Server 2003 domain
controller using LDAP over SSL with expired certificate requires restart - How to add a Subject Alternative Name to a secure LDAP certificate
- Troubleshooting PKI Problems on Windows
The following takes you through setting up LDAP over SSL
from the server side of a Windows 2008 R2 SP1 Domain Controller.
Note: It just
happens to be the minimum required to force a NetApp CDOT 8.2.1 SVM to have to
have LDAP over SSL properly configured before it can join the Active Directory
Domain.
My Lab Setup
My lab setup is simply a single Windows Server 2008 R2
SP1 Domain Controller — called MSDMC01 — in the domain LAB.PRIV. And we start
with a pretty much out of the box Domain Controller setup.
Step 1 of 3:
Enablement in the Default Domain Controllers Policy
Start >
Administrative Tools > Group Policy Management
Find the ‘Default
Domain Controllers Policy’, right-click and click Edit…
Image 1: Group
Policy Management
In the ‘Group Policy Management Editor: Default Domain
Controllers Policy’
Computer
Configuration > Policies > Windows Settings > Security Settings >
Local Policies > Security Options
Find the policy ‘Domain
controller: LDAP server signing requirements’, right-click and click Properties
Image 2: Group
Policy Management Editor
Domain controller: LDAP server signing requirements
Ensure that the ‘Define
this policy setting’ box is ticked
Change the drop-down menu to ‘Require signing’
Click Yes to
the ‘Confirm Settings Change’ box
Image 3: Domain
controller — LDAP server signing requirements Properties
Close the ‘Group
Policy Management Editor’ window.
Close the ‘Group
Policy Management’ window.
Then, from the Domain Controller, open a DOS Command
Prompt and type the following command to update the policy on the Domain
Controller.
gpupdate
Note: The GPO
setting isn’t applied until the registry setting — HKLMSYSTEMCurrentControlSetservicesNTDSParameters and DWORD ‘ldapserverintegrity’ has changed from
the default 1 to the new setting of 2. If you manually change in the registry
without updating the Default Domain Controllers GPO, it will go back to 1 after
every gpupdate.
Image 4: Registry
Editor
Step 2 of 3: Setting
up an Enterprise Root CA
Server Manager
> Roles > Add Roles
Add Roles Wizard: Select Server Roles
Tick the ‘Active
Directory Certificate Services’ box and click Next >
Image 5: Add Roles
Wizard
Add Roles Wizard: Introduction to Active
Directory Certificate Services
Add Roles Wizard: Select Role Services
Tick the ‘Certification
Authority’ box only
Image 6: AD CS —
Select Role Services
Note: Later on —
but not required for what we want to achieve here — I will install ‘Certification
Authority Web Enrollment’ so I can request certificates from the domain
certification authority.
Add Roles Wizard: Specify Setup Type
Choose ‘Enterprise’
to set up an Enterprise CA
Image 7: AD CS —
Specify Setup Type
Add Roles Wizard: Specify CA Type
Image 8: AD CS —
Specify CA Type
Add Roles Wizard: Set Up Private Key
Choose ‘Create a
new private key’ (since this is a new CA)
Image 9: AD CS —
Set Up Private Key
Add Roles Wizard: Configure Cryptography for
CA
Leave as the default settings which are sufficient for
our requirements:
Cryptographic
service provide (CSP) = RSA#Microsoft
Software Key Storage Provider
Key character
length = 2048
Hash algorithm for
signing certificates issued by this CA = SHA1
‘Allow
administrator interaction when the private key is accessed by the CA’ = unticked
Image 10: AD CS —
Configure Cryptography for CA
Add Roles Wizard: Configure CA Name
Leave as the default populated settings which are
sufficient for our requirements:
Common name for
this CA = lab-MSDMC01-CA
Distinguished name
suffix = DC=lab,DC=priv
Preview of
distinguished name = CN=lab-MSDMC01-CA,DC=lab,DC=priv
Image 11: AD CS —
Configure CA Name
Add Roles Wizard: Set Validity Period
Leave as the default settings which are sufficient for
our requirements:
Validity period for
certificate generated for this CA = 5
years
Image 12: AD CS —
Set Validity Period
Add Roles Wizard: Configure Certificate
Database
Leave as the default settings which are sufficient for
our requirements:
Certificate
database location = C:Windowssystem32CertLog
Certificate
database log location = C:Windowssystem32CertLog
Image 13: AD CS —
Configure Certificate Database
Add Roles Wizard: Confirm Installation
Selections
Image 14: AD CS —
Confirm Installation Selections
Add Roles Wizard: Installation Results
Step 3 of 3: Obtaining
the Root CA Certificate
On our Enterprise Root CA Domain Controller, run the
following commands from the DOS prompt (>) to obtain the self-signed root CA
certificate, and copy all the output between and including the BEGIN
CERTIFICATE and END CERTIFICATE lines into a simple text document. This will
need to be provided to the clients wanting to establish LDAP over SSL
connections, so they can install the root CA certificate first.
certutil
certutil -ca.cert CA_root_cert
Example of the
output using certutil and certutil -ca.cert:
C:UsersAdministrator>certutil
Entry 0:
(Local)
Name: `lab-MSDMC01-CA’
Organizational Unit: `’
Organization: `’
Locality: `’
State: `’
Country/region: `’
Config:
`MSDMC01.lab.privlab-MSDMC01-CA’
Exchange Certificate: `’
Signature Certificate: `MSDMC01.lab.priv_lab-MSDMC01-CA.crt’
Description: `’
Server: `MSDMC01.lab.priv’
Authority: `lab-MSDMC01-CA’
Sanitized Name: `lab-MSDMC01-CA’
Short Name: `lab-MSDMC01-CA’
Sanitized Short Name: `lab-MSDMC01-CA’
Flags: `13′
Web Enrollment Servers: `’
CertUtil:
-dump command completed successfully.
C:UsersAdministrator>certutil -ca.cert CA_root_cert
CA
cert[0]: 3 — Valid
CA
cert[0]:
——BEGIN
CERTIFICATE——
MIIDYzCCAkugAwIBAgIQbkWjIrQBqr9MYH6LuvOa7jANBgkqhkiG9w0BAQUFADBE
MRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xhYjEXMBUG
A1UEAxMObGFiLU1TRE1DMDEtQ0EwHhcNMTQwNDI2MTYwNjE3WhcNMTkwNDI2MTYx
NjE2WjBEMRQwEgYKCZImiZPyLGQBGRYEcHJpdjETMBEGCgmSJomT8ixkARkWA2xh
YjEXMBUGA1UEAxMObGFiLU1TRE1DMDEtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB
DwAwggEKAoIBAQDVR1jxp1Sazi88OXWECAPZAdcUdaaXOIlquSV/2vZGz548zeVX
GxJmV2MIte0IPe+q7RMcjgCW9espkGG1LjkZdKtxA9zAvZJY3zhpZzCbAinP9aIO
CnopICoQ5OPK5wWpJvn18yWfOJiJOeIG/TK71YPzE2yxRNZv0ouSlflq2522Gutr
EAW+KrSsXs03G2KVY6iVZ9A+k/cfZN/G1v4DRElwqmXuCMxRcdQWkd8FNHJ4dYx6
Nvq1DmroWxn/zicBkUHz0aKbuQSM0P1M/LFTA7lGCosbjT+q8Bc37oGlci2vVTOS
JXv+Qxx/y/epOmkBJilf112uch+npWViMnPPAgMBAAGjUTBPMAsGA1UdDwQEAwIB
hjAPBgNVHRMBAf8EBTADAQH/MB0GA1UdDgQWBBSVo87stQ2puh0s37snZtHOC0SN
BTAQBgkrBgEEAYI3FQEEAwIBADANBgkqhkiG9w0BAQUFAAOCAQEACVC9UENQQuy+
OuC7M/pHns+d233j7PofbkFZ/a87WdePGUWEAfnYJYhXAWcV4HoM1WHZhqG408tV
CsfYS5NXCXrqIM5hNF+I+qnqA5aS0aPICIfBspOFDJqvcgj0bBPwKXRbRmBdizHe
pdNgzxR7RZgoDdorjNeAfmdkXEPoHKN4B9nQjtKSZGyXJxg0RUFUmGBadoNRSiGp
KNzmNQLsTLWszKarzqAjkfO5gN9oIOrVt1GFhkgxEfd6pUkTznm48CfrKSV62SMw
/b6Lqx0o/3mkuUUgMgJLUB21Os6z8XBtLFwA847vJNoi3SoLpjZE9+b+rf1r163C
qO2+O6CqYw==
——END
CERTIFICATE——
CertUtil:
-ca.cert command completed successfully.
I installed Active Directory by selecting the “Active Directory Domain Services” Role from the Server Manager Dialogue. Step by step instructions can be seen in Deploying a Test Windows Environment in a KVM Infrastucture.
After you installed AD you can confirm that it’s listening on port 389:
C:UsersAdministrator>netstat -abn | findstr :389
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING
TCP 127.0.0.1:389 127.0.0.1:49160 ESTABLISHED
TCP 127.0.0.1:49160 127.0.0.1:389 ESTABLISHED
TCP 192.168.250.47:389 192.168.250.47:49175 ESTABLISHED
TCP 192.168.250.47:49175 192.168.250.47:389 ESTABLISHED
We can see it’s listening on port 389 and there are some local connections to that port for the AD server. Now let’s go ahead and add a test LDAP user for our queries.
Add New User to AD via the “Active Directory Users and Computers” Console
To start the “Active Directory Users and Computers” Console, execute the following command from the run dialogue: dsa.msc
. At which point you will see the following window:
Then right click in the white space and go to “New” -> “User”:
Then fill out the User information:
Lastly set the user’s password:
After it’s all said and done you will see the following in the “Active Directory Users and Computers” Console:
So our test user will be elatov.
From the run dialogue run: ldp.exe
and you will see the following:
Now let’s bind to the AD server, since we are local to the AD server we can just bind with the same user that we are currently logged in:
and let’s leave the defaults:
After clicking OK, you will see the connection go through and the bind to the AD server succeed:
Now let’s start browsing the AD server, first let’s select the “Tree” view:
After that we need to choose the BaseDN, this is basically where we want to start the search. We will choose dc=elatov,dc=local, which is basically the root of the AD server.
I just want to see all the available branches/children that are part of the AD server:
Expanding the User branch and locating our test user “elatov”, we see the following:
We can see that the DN (Distinguished Name) of the test user is: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
. From now on since we know all the users are under CN=Users,DC=elatov,DC=local we will use that as our BaseDN, this way we don’t have to query the whole AD structure.
Use dsquery to find DNs of Users
There is a command line utility called dsquery, which shows a more succinct view. For example to find the DN of our user, we can run the follow command from the command prompt:
C:UsersAdministrator>dsquery user -name "Karim Elatov"
"CN=Karim Elatov,CN=Users,DC=elatov,DC=local"
If you want to find out all the available groups in an AD server, you can run the following:
C:UsersAdministrator>dsquery group DC=elatov,DC=local
"CN=Administrators,CN=Builtin,DC=elatov,DC=local"
"CN=Users,CN=Builtin,DC=elatov,DC=local"
"CN=Guests,CN=Builtin,DC=elatov,DC=local"
"CN=Print Operators,CN=Builtin,DC=elatov,DC=local"
"CN=Backup Operators,CN=Builtin,DC=elatov,DC=local"
"CN=Replicator,CN=Builtin,DC=elatov,DC=local"
"CN=Remote Desktop Users,CN=Builtin,DC=elatov,DC=local"
"CN=Network Configuration Operators,CN=Builtin,DC=elatov,DC=local"
"CN=Performance Monitor Users,CN=Builtin,DC=elatov,DC=local"
"CN=Performance Log Users,CN=Builtin,DC=elatov,DC=local"
"CN=Distributed COM Users,CN=Builtin,DC=elatov,DC=local"
"CN=IIS_IUSRS,CN=Builtin,DC=elatov,DC=local"
"CN=Cryptographic Operators,CN=Builtin,DC=elatov,DC=local"
"CN=Event Log Readers,CN=Builtin,DC=elatov,DC=local"
"CN=Certificate Service DCOM Access,CN=Builtin,DC=elatov,DC=local"
"CN=Domain Computers,CN=Users,DC=elatov,DC=local"
"CN=Domain Controllers,CN=Users,DC=elatov,DC=local"
"CN=Schema Admins,CN=Users,DC=elatov,DC=local"
"CN=Enterprise Admins,CN=Users,DC=elatov,DC=local"
"CN=Cert Publishers,CN=Users,DC=elatov,DC=local"
"CN=Domain Admins,CN=Users,DC=elatov,DC=local"
"CN=Domain Users,CN=Users,DC=elatov,DC=local"
"CN=Domain Guests,CN=Users,DC=elatov,DC=local"
"CN=Group Policy Creator Owners,CN=Users,DC=elatov,DC=local"
"CN=RAS and IAS Servers,CN=Users,DC=elatov,DC=local"
"CN=Server Operators,CN=Builtin,DC=elatov,DC=local"
"CN=Account Operators,CN=Builtin,DC=elatov,DC=local"
"CN=Pre-Windows 2000 Compatible Access,CN=Builtin,DC=elatov,DC=local"
"CN=Incoming Forest Trust Builders,CN=Builtin,DC=elatov,DC=local"
"CN=Windows Authorization Access Group,CN=Builtin,DC=elatov,DC=local"
"CN=Terminal Server License Servers,CN=Builtin,DC=elatov,DC=local"
"CN=Allowed RODC Password Replication Group,CN=Users,DC=elatov,DC=local"
"CN=Denied RODC Password Replication Group,CN=Users,DC=elatov,DC=local"
"CN=Read-only Domain Controllers,CN=Users,DC=elatov,DC=local"
"CN=Enterprise Read-only Domain Controllers,CN=Users,DC=elatov,DC=local"
"CN=DnsAdmins,CN=Users,DC=elatov,DC=local"
"CN=DnsUpdateProxy,CN=Users,DC=elatov,DC=local"
Use openldap Tools to perform an LDAP Query
There are a couple of versions of LDAP clients for Linux:
- Mozilla LDAP Tools.
- OpenLDAP Client Tools
Usually the location of the binary will let you know which one you have. For example here are two binaries on the same system:
$ where ldapsearch
/usr/bin/ldapsearch
/usr/lib/mozldap/ldapsearch
RedHat mostly uses the Mozilla version. From “LDAP Tool Locations”:
For all Red Hat Directory Server guides and documentation, the LDAP tools used in the examples, such as ldapsearch and ldapmodify, are the Mozilla LDAP tools. For most Linux systems, OpenLDAP tools are already installed in the /usr/bin/ directory.
The two different versions have different arguments so make sure you know which one you are using. Let’s perform an LDAP query with openldap tools first:
# ldapsearch -h 192.168.250.47 -b "CN=Users,DC=elatov,DC=local" -s sub -D "administrator@elatov.local" -W "sAMAccountName=elatov"
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base cn =Users,DC=elatov,DC=local> with scope subtree
# filter: sAMAccountName=elatov
# requesting: ALL
#
# Karim Elatov, Users, elatov.local
dn: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
objectClass: top
objectClass: person
objectClass: organizationalPerson
objectClass: user
cn: Karim Elatov
sn: Elatov
givenName: Karim
distinguishedName: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
instanceType: 4
whenCreated: 20130511230624.0Z
whenChanged: 20130511230624.0Z
displayName: Karim Elatov
uSNCreated: 94257
uSNChanged: 94262
name: Karim Elatov
objectGUID:: w1P90HpQKU2DUtBdEHJ98w==
userAccountControl: 66048
badPwdCount: 0
codePage: 0
countryCode: 0
badPasswordTime: 0
lastLogoff: 0
lastLogon: 0
pwdLastSet: 130127871842187500
primaryGroupID: 513
objectSid:: AQUAAAAAAAUVAAAA0uO84TKspJERrqPGUgQAAA==
accountExpires: 9223372036854775807
logonCount: 0
sAMAccountName: elatov
sAMAccountType: 805306368
userPrincipalName: elatov@elatov.local
objectCategory: CN=Person,CN=Schema,CN=Configuration,DC=elatov,DC=local
dSCorePropagationData: 16010101000000.0Z
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
We can see that I used “CN=Users,DC=elatov,DC=local” as my baseDN and I used the account “administrator@elatov.local” to bind to the AD server. I could also use the elatov account to bind with, for example:
# ldapsearch -h 192.168.250.48 -b "CN=Users,DC=elatov,DC=local" -s sub -D "elatov@elatov.local" -W "sAMAccountName=elatov" name
Enter LDAP Password:
# extended LDIF
#
# LDAPv3
# base cn =Users,DC=elatov,DC=local> with scope subtree
# filter: sAMAccountName=elatov
# requesting: name
#
# Karim Elatov, Users, elatov.local
dn: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
name: Karim Elatov
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
Notice this time I just grabbed the name field to narrow down the search results.
Use mozldap Tools to perform an LDAP Query
Here is the same query as above using the Mozilla LDAP tools:
# /usr/lib/mozldap/ldapsearch -h 192.168.250.47 -b "CN=Users,DC=elatov,DC=local" -s sub -D "administrator@elatov.local" -w - "sAMAccountName=elatov" name
Enter bind password:
version: 1
dn: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
name: Karim Elatov
For now only the password arguments are different.
After installing the “Active Directory Domain Services” role, it actually starts the AD Server on the Secure port (636):
C:UsersAdministrator>netstat -abnt | findstr :636
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING
But since we have not uploaded an appropriate certificate it won’t work properly.
LDAPS Prerequisites
The list is available at Event ID 1220 — LDAP over SSL, from that page:
-
Certificate must be valid for the purpose of Server Authentication. This means that it must also contains the Server Authentication object identifier (OID): 1.3.6.1.5.5.7.3.1
-
The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine, such as Subject:CN=server1.contoso.com.
-
The host machine account must have access to the private key.
I had recently created my own certificate with my own CA. Check out “certificate_properties.c source file here are the different OIDs defined:
{"1.3.6.1.5.5.7.3.1", "TLS WWW Server"},
{"1.3.6.1.5.5.7.3.2", "TLS WWW Client"},
{"1.3.6.1.5.5.7.3.3", "Code signing"},
{"1.3.6.1.5.5.7.3.4", "Email protection"},
{"1.3.6.1.5.5.7.3.8", "Time stamping"},
{"1.3.6.1.5.5.7.3.9", "OCSP signing"},
{"2.5.29.37.0", "Any purpose"},
{"2.5.29.9", "Subject Directory Attributes"},
{"2.5.29.14", "Subject Key Identifier"},
{"2.5.29.15", "Key Usage"},
{"2.5.29.16", "Private Key Usage Period"},
{"2.5.29.17", "Subject Alternative Name"},
{"2.5.29.19", "Basic Constraints"},
{"2.5.29.30", "Name Constraints"},
{"2.5.29.31", "CRL Distribution Points"},
{"2.5.29.32", "Certificate Policies"},
{"2.5.29.33", "Policy Mappings"},
{"2.5.29.35", "Authority Key Identifier"},
{"2.5.29.36", "Policy Constraints"},
{"2.5.29.37", "Extended Key Usage"},
{"2.5.29.46", "Delta CRL Distribution Point"},
{"2.5.29.54", "Inhibit Any-Policy"},
So let’s fire up gnomint and check to see if I was lucky enough to allow this certificate to be used for a “TLS WWW Server”. To check out if the certificate can be used for that functionality, right click on the certificate and select Properties:
Then click on the “Details” tab, expand the “Extensions”, and lastly expand the “Extended Key Usage” section:
Yay! I was lucky enough to leave that option enabled. I was using a wild certificate so the subject name would match as well. Now let’s follow the instructions from the above Microsoft page to import the certificate.
1. Open Microsoft Management Console (MMC).
From the Run dialogue, enter: mmc
and you will see this:
2.Click File, click Add/Remove Snap-in, select Certificates from the available snap-ins, and then click Add:
3. In Add or Remove Snap-ins, click Service account to view the certificates that are stored in the service’s personal store, and then click Next:
4. In Add or Remove Snap-ins, click Local computer, and then click Next.
5. In Add or Remove Snap-ins, click Active Directory Domain Services, click Finish, and then click OK:
6. In the console tree, expand Certificates — Service (Active Directory Domain Services), expand Personal, and then expand Certificates:
7. To import a certificate, right-click the NTDSPersonal folder, click All Tasks, and then click Import:
After the certificate is imported you will see the following in the Snap-In:
Since this a self-signed certificate make sure you follow the instructions laid out in “Setup Your Own Certificate Authority (CA) on Linux and Use it in a Windows Environment” to import your own CA Certificate under the regular Certificate store. Just launch: certmgr.msc
and make sure your CA is in the “Trusted Root Certificate Authorities” folder:
Test LDAPS Connection with ldp.exe
Start ldp.exe, go to “Connection” -> “Connect”, and fill out the necessary information and make sure SSL is chosen:
Then click OK and make sure the connection is successful:
Perform LDAPS Query with OpenLDAP tools
If we try the regular search, we will get this error:
# ldapsearch -x -H ldaps://192.168.250.47:636 -b "CN=Users,DC=elatov,DC=local" -D "administrator@elatov.local" -W - -s sub "(sAMAccountName=elatov)" name
Enter LDAP Password:
ldap_bind: Can't contact LDAP server (-1)
additional info: error:14090086:SSL routines:SSL3_GET_SERVER_CERTIFICATE:certificate verify failed
Since we are using a self-signed certificate, this is expected. From the man page of ldap.conf, we have the following options:
TLS_CACERT filename
Specifies the file that contains certificates for all of the Certificate Authorities the client will recognize. This is thepreferred method for specifying the list of Certificate Author-
ity certificates.
...
...
TLS_CERT filename
Specifies the file that contains the client certificate. This is a user-only option.
...
...
TLS_REQCERT level
Specifies what checks to perform on server certificates in a TLS session, if any. The level can be specified as one of the fol-lowing keywords:
never The client will not request or check any server certifi-cate.
allow The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad cer-tificate is provided, it will be ignored and the session proceeds normally.
try The server certificate is requested. If no certificate is provided, the session proceeds normally. If a bad cer-tificate is provided, the session is immediately termi-nated.
demand | hard
These keywords are equivalent. The server certificate is requested. If no certificate is provided, or a bad cer-tificate is provided, the session is immediately termi-nated. This is the default setting.
I had the certificate, but didn’t want to bother with the TLS Verification, so I just ignored it:
# LDAPTLS_REQCERT=never ldapsearch -x -H ldaps://192.168.250.47:636 -b "CN=Users,DC=elatov,DC=local" -D "administrator@elatov.local" -W -s sub "sAMAccountName=elatov" name -LLL
Enter LDAP Password:
dn: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
name: Karim Elatov
The main difference are between SSL and non-SSL openldap’s ldapsearch were:
- -H to specify the URI of the AD server
- -x to use simple authentication instead of SASL
- -LLL to get a more succinct search result
Perform LDAPS Query with MozLDAP tools
Initially the query had the following error:
# /usr/lib/mozldap/ldapsearch -Z -h 192.168.250.47 -p 636 -D "administrator@elatov.local" -w - -s base -b "CN=Users,DC=elatov,DC=local" "sAMAccountName=elatov" name
Enter bind password:
SSL initialization failed: error -8174 (security library: bad database.)
with MozLDAP it actually uses NSS to verify the SSL certificates and unfortunately you can’t ignore the verification (or I didn’t find a way). So let’s go ahead and generate a brand new NSSDB:
# mkdir -p .pki/nssdb
# certutil -N -d .pki/nssdb
Enter a password which will be used to encrypt your keys.
The password should be at least 8 characters long,
and should contain at least one non-alphabetic character.
Enter new password:
Re-enter password:
Now let’s put in our CA into the NSSDB:
# certutil -d .pki/nssdb -A -n 'elatov-local-root-ca' -i root-ca-elatov-local.pem -t TCP,TCP,TCP
Now let’s make sure it’s there:
# certutil -d .pki/nssdb -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
elatov-local-root-ca CT,C,C
Now let’s do the actual LDAP query with MozLDAP over LDAPS:
# /usr/lib/mozldap/ldapsearch -h 192.168.250.47 -p 636 -Z -P .pki/nssdb/ -b "CN=Users,DC=elatov,DC=local" -s sub -D "administrator@elatov.local" -w - "sAMAccountName=elatov" name
Enter bind password:
version: 1
dn: CN=Karim Elatov,CN=Users,DC=elatov,DC=local
name: Karim Elatov
Now we have confirmed in many different ways that LDAPS on the AD server is working.
ВНИМАНИЕ!
Эта инструкция актуальна только до версии ADVANTA 3.19 включительно.
Актуальная инструкция для версии 3.20 и выше находится здесь.
Данный тип интеграции позволяет подключаться к Адванте с использованием Active Directory с компьютеров, размещенных в одном домене. При этом допускается, что сервер с системой может находится вне домена, а географически – в любой части мира.
Интеграционное решение ориентировано на компоненты Active Directory:
-
Служба федерации Active Directory (AD FS).
-
Служба каталогов Active Directory; доступ к ней осуществляется по LDAP.
Службы федерации Active Directory используются для аутентификации пользователей. AD FS позволяет использовать технологию единого входа (SSO). В нашем случае важно, что AD FS использует Встроенную Аутентификацию Windows, что позволяет входить в систему без ввода логина и пароля (требует настройки в IE и Firefox). Если пользователи будут использовать AD FS только находясь в домене, то не обязательно делать эту службу доступной во внешнюю сеть.
Службы каталогов AD используются для импорта пользователей из AD в систему и для выбора учетной записи AD при связывании с пользователем. Связывание происходит по полю SID.
Важно!
Чтобы использовать интеграцию с Active Directory, обращение к системе Адванта должно выполняться по протоколу https.
Важно!
Сервер со службой федерации Active Directory (AD FS) должен находиться в домене на сервере клиента. При этом можно установить службу на сервер с контроллером домена (AD), однако служба технической поддержки компании Microsoft не рекомендует производить подобные установки: службы AD и ADFS должны быть размещены на различных хостах (ВМ). При этом сервер IIS может находиться как на сервере (клиента) внутри доменной сети, так и на внешнем хостинге.
Windows Server 2008R2
-
На шаге «Лицензионное соглашение» устанавливаем флажок «Я принимаю условия лицензионного соглашения». Нажимаем на кнопку «Далее».
-
На шаге «Роль сервера» выбираем роль «Сервер федерации». Нажимаем на кнопку «Далее».
-
На шаге «Установка необходимого программного обеспечения» мастер установки автоматически проверит наличие необходимых для службы федерации компонентов. Нажимаем на кнопку «Далее».
-
После завершения работы мастера установите флажок «Когда мастер закроется, запустить оснастку управления AD FS 2.0» для дальнейшей настройки службы. Нажмите на кнопку «Готово».
Windows Server 2012
-
Открываем «Диспетчер серверов»
-
Управление → Добавить роли и компоненты
-
На шаге «Перед началом работы» (если такой появится) нажимаем на кнопку «Далее»
-
На шаге «Тип установки» выбираем «Установка ролей и компонентов» и нажимаем на кнопку «Далее»
-
На шаге «Выбор сервера» выбираем сервер, на котором будет произведена установка службы федерации Active Directory. «Далее»
-
На шаге «Роли сервера» устанавливаем флажок напротив роли «Службы федерации Active Directory». Мастер добавления ролей и компонентов предложит добавить компоненты, необходимые для Службы федерации Active Directory, нажимаем на кнопку «Добавить компоненты». «Далее»
-
Шаг «Компоненты» остаётся без изменений, «Далее».
-
На шаге «Службы федерации Active Directory (AD FS)» снова нажимаем на кнопку «Далее».
-
В промежуточном шаге «Службы ролей» по умолчанию выставлен флажок «Служба федерации», ничего не изменяя нажимаем кнопку «Далее».
-
На шаге «Роль веб-сервера IIS» также нажимаем кнопку «Далее».
-
В промежуточном шаге «Службы ролей» ничего не меняем, нажимаем на кнопку «Далее».
-
На шаге «Подтверждение» нажимаем на кнопку «Установить».
-
После установки необходимых компонентов закрываем мастер установки нажатием кнопки «Закрыть».
-
Запускаем Диспетчер служб IIS.
-
Выбираем локальный сервер.
-
На начальной странице локального сервера заходим в меню «Сертификаты сервера».
-
На странице «Сертификаты сервера» нужно добавить заверенный сертификат, купленный у вендора, либо созданный в центре сертификации AD CS (если эта служба установлена). Использовать самозаверенный сертификат не рекомендуется (для каждого пользователя, который заходит через AD будет предупреждение в браузере; во многих браузерах чтобы продолжить работу с таким сертификатом, надо проделать определенные действия, например, добавить сайт в исключения, что многим пользователям будет не под силу).
-
В поле «Понятное имя сертификата» впишите имя, например:
ADFS_Certificate
, в разделе «Выбрать хранилище сертификата для нового сертификата:» выберите «Личный».
Диспетчер служб IIS можно закрыть. -
Windows Server 2008R2: После установки AD FS 2.0 оснастка управления должна была запуститься автоматически. Если этого не произошло, запустите оснастку вручную: Пуск → Все программы → Администрирование → Управление AD FS 2.0
Windows Server 2012: В диспетчере серверов нажмите на значок уведомлений (флаг с восклицательным знаком в треугольнике). В открывшемся уведомлении «Конфигурация после развертывания» нажимаем «Запустить оснастку управления AD FS». -
В открывшейся оснастке выбираем «Мастер настройки сервера федерации AD FS».
-
На шаге «Добро пожаловать!» устанавливаем флажок напротив пункта «Создать службу федерации» и нажимаем на кнопку «Далее».
-
На шаге «Выберите тип развертывания» выбираем опцию «Изолированный сервер федерации» и нажимаем на кнопку «Далее».
-
На шаге «Имя службы федерации» возможно выбрать SSL-сертификат для веб-сайта. Т.к. в п.5 создавался только один сертификат (ADFS_Certificate), он подставится по умолчанию, без права выбора сертификатов. В случае, если сертификатов больше, необходимо выбрать нужный. Нажимаем кнопку «Далее».
-
На шаге «Сводка» мастер настройки покажет, какие параметры будут настроены для служб AD FS. Ознакомившись нажимаем на кнопку «Далее».
-
После завершения работы мастера нажимаем кнопку «Закрыть». Если оснастка AD FS закрылась, запустите её заново.
-
В оснастке управления AD FS появится ссылка «Обязательно: добавьте доверенную проверяющую сторону» — нажимаем, запустится мастер добавления отношений доверия проверяющей стороны.
-
Шаг «Добро пожаловать!» – нажмите на кнопку «Запустить».
-
На шаге «Выберите источник данных» устанавливаем флажок на пункте «Ввод данных о проверяющей стороне вручную». Нажимаем кнопку «Далее».
-
На шаге «Укажите отображаемое имя», в поле «Отображаемое имя:» вводим имя для проверяющей стороны (например: advanta), и, при необходимости, любые примечания. Нажимаем на кнопку «Далее».
-
На шаге «Выберите профиль» устанавливаем значение напротив пункта «Профиль AD FS». Нажимаем на кнопку «Далее».
-
На шаге «Настройте сертификат» возможно указать дополнительный сертификат шифрования маркера, если это необходимо. Нажимаем на кнопку «Далее».
-
На шаге «Настройте URL-адрес» устанавливаем флажок напротив пункта «Включить поддержку пассивного протокола WS-Federation», далее, в поле «URL-адрес пассивного протокола WS-Federation проверяющей стороны» вводим адрес страницы
ADFS_Login.aspx
в Вашей системе (например:https://your.system.ru/streamline/ADFS_Login.aspx
). Нажимаем на кнопку «Далее». -
На шаге «Настройте идентификаторы» в поле «Идентификатор отношения доверия проверяющей стороны:» введите адрес Вашей системы (например, в нашем случае это:
https://your.system.ru/streamline
). Нажмите «Далее». -
На шаге «Выберите правила авторизации выдачи» выберите пункт «Разрешить доступ к этой проверяющей стороне всем пользователям». Или, после настройки мастера, настройте конкретных пользователей. Нажимаем на кнопку «Далее».
-
На шаге «Готовность для добавления отношения доверия» можете проверить все настройки и нажмите «Далее».
-
На шаге «Готово» установите флажок «Открыть диалоговое окно «Изменение правил утверждений» для этого отношения доверия проверяющей стороны после закрытия мастера» и нажмите на кнопку «Закрыть».
-
Откроется окно «Изменение правил утверждений для advanta (отображаемое имя, которое мы ввели в п.16)». На вкладке «Правило Преобразования выдачи» нажимаем кнопку «Добавить правило…». — В мастере добавления правила преобразования утверждения, на шаге «Выберите тип правила», выберите шаблон правила утверждения: «Отправка утверждений с помощью настраиваемого правила». Нажимаем на кнопку «Далее».
-
На шаге «Настройте правило утверждения»:
-
После этого снова появится окно «Изменение правил утверждений для advanta». Нажмите на кнопку «ОК».
Важно!
Для работы с AD FS на сервере c IIS требуется служба Windows Identity Foundation.
Скачать Windows Identity Foundation можно по ссылке.
Предварительные действия на сервере приложения:
-
Проверить/установить Windows Identity Foundation
-
Проверить/добавить файл
ADFS_Login.aspx
в корень приложения
Службы каталогов AD должны быть доступны для сервера IIS по LDAP. Для системы «Адванта» настройка службы выполняется в конфигурационных файлах, находящимися в папке с веб-контентом системы.
Основные настройки интеграции со службой AD FS
-
В файле
web.config
изменить следующие значения: -
В файле
identityModel.config
изменить следующие значения:
Актуально только для Windows Server 2008 R2
-
На сервере службы федерации в IIS перейти к сайту AD FS: Сайты → Default Web Site → AD FS → ls
-
На странице сайта раздел «Проверка подлинности» → включить компонент «Проверка подлинности Windows».
-
Перейти в дополнительные параметры данного компонента → в настройке «Расширенная защита» установить «Выключена».
Настройка интеграции со службой AD FS в файле web.config (до версии 3.03.2166.х)
Настройка LDAP в файле client.config
-
В главном разделе
<configuration>
добавить следующее:<ldapService ldapPath="LDAP://адрес сервера с AD FS/" baseDN="база поиска объектов в AD"> <authenticationTypes> <add authenticationType="Secure" /> <add authenticationType="Signing" /> <add authenticationType="Sealing" /> </authenticationTypes> </ldapService>
-
В раздел
<configSections>
добавить тег:<section name="ldapService" type="Config.LDAPConfigurationSection, smcorelib" />
Ссылка на пример файла Client.config с настройками интеграции под ADFS
Службы федерации и приложение не обмениваются напрямую, только через браузер. Пользователь вводит логин и пароль для доступа к веб-сервисам AD FS, а приложение никогда не получает эти данные. Вместо логина и пароля приложение получает от AD FS утверждения, а именно доменный sid
пользователя. Передача утверждений происходит с использованием шифрования. Также утверждения подписываются в AD FS, используя SAML. Доверие приложения к сервису утверждений основано на подписи, которая проверяется по отпечатку сертификата.
Важно использовать заверенный сертификат для веб-сервисов AD FS (этот сертификат устанавливается в IIS). Это не тот сертификат, который используется для подписи и шифрования утверждений.
Если сертификат не заверен центром сертификации (создан самозаверенный), то нужно будет установить его на рабочие станции пользователей в корневые центры сертификации. В этом случае экспортируется сертификат, созданный на шаге 4 в подразделе «Начальная настройка AD FS»
-
Установить сертификат в Доверительные корневые центры сертификации.
-
Добавить систему в надежные сайты (Свойства браузера → Безопасность → Надежные сайты → Сайты → Добавить сайт
https://имя системы в сертификате безопасности
→ Закрыть).
После выполнения всех вышеописанных настроек, необходимо активировать синхронизацию с AD в самой системе. Для этого под учетными данными администратора системы:
-
перейти в пункт меню «Администрирование» → «Общие настройки» → «Настройки Active Directory»;
-
в портлете «Настройки связи с Active Directory (с использованием службы ADFS)» установить чек-бокс в «Разрешить проверку учетных данных в Active Directory (с использованием службы ADFS)».
Далее, чтобы в систему можно было заходить под доменными учетными данными пользователей, нужно загрузить этих пользователей из AD. Здесь два варианта:
-
Загрузка новых пользователей из AD в систему, в настройках Active Directory, после активации синхронизации, появится кнопка «Загрузить из Active Directory». С помощью этой кнопки можно загрузить всех необходимых пользователей в систему. В этом случае в системе создаются новые пользователи с привязкой к доменной учетной записи.
-
Привязка уже существующего пользователя системы к AD. Для этого, под учетными данными администратора системы, нужно перейти в пункт меню «Команда в лицах» — «Список». Выбрать необходимого пользователя из списка и перейти в карточку редактирования этого пользователя, нажав левой кнопкой мыши по ссылке данного пользователя. В портлете «Учетная запись Active Directory» необходимо нажать кнопку-ссылку «Задать», где можно будет выбрать необходимую доменную учетную запись для привязки пользователя.
Если сервер с системой не включен в домен, при нажатии кнопки «Загрузить из Active Directory» возникнет ошибка подключения к Active Directory. В этом случае необходимо нажать кнопку «учетная запись» и ввести в появившемся окне логин и пароль доменного пользователя. Логин должен вводиться в формате domainuser
или user@domain.local
.
Мультидоменная авторизация позволяет проводить аутентификацию пользователей с помощью Active Directory, находящихся в различных доменах внутри организации. При этом необходимо, чтобы сервер с системой находился в корневом домене, а также наличие двусторонних транзитивных отношений между корневым и остальными доменами.
Мультидоменность работает по протоколу NTLM.
1. Для авторизации на сервере через AD необходимо установить службу «Windows – проверка подлинности» (Windows Authentication
).
Windows Server 2008 R2:
-
Открыть диспетчер сервера.
-
Перейти в пункт «Роли».
-
На вкладке «Службы ролей» нажать на кнопку «Добавить службы ролей».
-
В пункте «Безопасность» включить пункт «Windows — проверка подлинности».
-
Нажать «Далее».
-
«Установить».
Windows Server 2012:
-
Открыть диспетчер серверов.
-
«Управление» → «Добавить роли и компоненты».
-
На шаге «Перед началом работы» нажать «Далее».
-
На шаге «Тип установки» выбрать «Установка ролей или компонентов» и нажать «Далее».
-
На шаге «Выбор сервера» выбрать текущий сервер.
-
Перейти в пункт «Роль веб-сервера(IIS)» → «Службы ролей».
-
В пункте «Безопасность» включить пункт «проверка подлинности Windows».
-
Нажать «Далее», затем «Установить».
После установки службы «Windows — проверка подлинности» откройте Диспетчер служб IIS:
-
Перейти в раздел «Сайты» → Default Web Site (сайт с установленной системой).
-
Затем перейти в подраздел «Проверка подлинности» (в области просмотра возможностей).
-
Включить компонент «Проверка подлинности Windows».
-
Включить компонент «Анонимная проверка подлинности».
-
Все остальные компоненты выключить, если они включены.
2. Настройка client.config:
где:
Для добавления нескольких доменов нужно добавить соответствующее количество строк, начинающихся с тега «add name…».
Ссылка на пример файла Client.config с настройками интеграции под NTLM
Добавить систему в раздел Местная интрасеть (Свойства браузера → Безопасность → Местная интрасеть → Сайты → Добавить сайт с адресом системы → Закрыть).
После выполнения всех вышеописанных настроек, необходимо активировать синхронизацию с AD в самой системе. Для этого под учетными данными администратора системы:
-
перейти в пункт меню «Администрирование» → «Общие настройки» → «Настойки Active Directory»;
-
в портлете «Настройки связи с Active Directory (с использованием NTLM)» поставить чек-бокс напротив «Разрешить проверку учетных данных в Active Directory (с использованием NTLM)» .
Далее, чтобы пользователи могли заходить в систему под своими доменными учетными записями, их нужно загрузить в систему из AD. Здесь два варианта:
-
Загрузка новых пользователей из AD в систему, в настройках Active Directory, после активации синхронизации, появится кнопка «Загрузить из Active Directory». С помощью этой кнопки можно загрузить всех необходимых пользователей в систему. В этом случае в системе создаются новые пользователи с привязкой к доменной учетной записи.
-
Привязка уже существующего пользователя системы к AD. Для этого, под учетными данными администратора системы, нужно перейти в пункт меню «Команда в лицах» — «Список». Выбрать необходимого пользователя из списка и перейти в карточку редактирования этого пользователя, нажав левой кнопкой мыши по ссылке данного пользователя. В портлете «Учетная запись Active Directory» необходимо нажать кнопку-ссылку «Задать», где можно будет выбрать необходимую доменную учетную запись для привязки пользователя.
Enable LDAP over SSL (LDAPS) for Microsoft Active Directory servers.
Microsoft active directory servers will default to offer LDAP connections over unencrypted connections (boo!).
The steps below will create a new self signed certificate appropriate for use with and thus enabling LDAPS for an AD server. Of course the «self-signed» portion of this guide can be swapped out with a real vendor purchased certificate if required.
Steps have been tested successfully with Windows Server 2012R2, but should work with Windows Server 2008 without modification. Requires a working OpenSSL install (ideally Linux/OSX) and (obviously) a Windows Active Directory server.
- Create root certificate
- Import root certificate into trusted store of domain controller
- Create client certificate
- Accept and import certificate
- Reload active directory SSL certificate
- Test LDAPS using
ldp.exe
utility - Reference
Create root certificate
Using OpenSSL, create new private key and root certificate. Answer country/state/org questions as suitable:
$ openssl genrsa -aes256 -out ca.key 4096 $ openssl req -new -x509 -days 3650 -key ca.key -out ca.crt
Hold onto the resulting ca.key
and ca.crt
.
Import root certificate into trusted store of domain controller
- From the active directory server, open
Manage computer certificates
. - Add the generated
ca.crt
to the certificate pathTrusted Root Certification AuthoritiesCertificates
. - Done.
Create client certificate
We will now create a client certificate to be used for LDAPS, signed against our generated root certificate.
From the active directory server:
-
Create a new
request.inf
definition with the following contents — replacingACTIVE_DIRECTORY_FQDN
with the qualified domain name of your active directory server:[Version] Signature="$Windows NT$" [NewRequest] Subject = "CN=ACTIVE_DIRECTORY_FQDN" KeySpec = 1 KeyLength = 2048 Exportable = TRUE MachineKeySet = TRUE SMIME = FALSE PrivateKeyArchive = FALSE UserProtected = FALSE UseExistingKeySet = FALSE ProviderName = "Microsoft RSA SChannel Cryptographic Provider" ProviderType = 12 RequestType = PKCS10 KeyUsage = 0xa0 [EnhancedKeyUsageExtension] OID = 1.3.6.1.5.5.7.3.1 ; Server Authentication
-
Run the following to create a client certificate request of
client.csr
(note: it’s critical this is run from the active directory server itself to ensure correct private key -> certificate association):C:> certreq -new request.inf client.csr
Back to our OpenSSL system:
-
Create
v3ext.txt
containing the following:keyUsage=digitalSignature,keyEncipherment extendedKeyUsage=serverAuth subjectKeyIdentifier=hash
-
Create a certificate
client.crt
from certificate requestclient.csr
and root certificate (with private key):$ openssl x509 -req -days 3650 -in client.csr -CA ca.crt -CAkey ca.key -extfile v3ext.txt -set_serial 01 -out client.crt
-
Verify generated certificate:
$ openssl x509 -in client.crt -text
-
Ensure the following
X509v3 extensions
are all present:X509v3 Key Usage: Digital Signature, Key Encipherment
X509v3 Extended Key Usage: TLS Web Server Authentication
X509v3 Subject Key Identifier
Accept and import certificate
-
From the active directory server with
client.crt
present, run the following:C:> certreq -accept client.crt
-
Open
Manage computer certificates
, the new certificate should now be present underPersonalCertificates
. Ensure that:- Certificate has a private key association.
- The «Intended Purposes» is defined as «Server Authentication».
- Certificate name is the FQDN of the active directory server.
Reload active directory SSL certificate
Alternatively you can just reboot the server, but this method will instruct the active directory server to simply reload a suitable SSL certificate and if found, enable LDAPS:
-
Create
ldap-renewservercert.txt
containing the following:dn: changetype: modify add: renewServerCertificate renewServerCertificate: 1 -
-
Run the following command:
C:> ldifde -i -f ldap-renewservercert.txt
Test LDAPS using ldp.exe
utility
-
From another domain controller, firstly install our generated root certificate
ca.crt
to the certificate pathTrusted Root Certification AuthoritiesCertificates
. -
Open utility:
-
From
Connection
, selectConnect
. -
Enter name of target domain controller.
-
Enter
636
as port number (this is the LDAPS port). -
Click
OK
to confirm the connection works. -
You’re all done!
Reference
- Enable LDAP over SSL with a third-party certification authority: https://support.microsoft.com/en-us/kb/321051
- LDAP renewServerCertificate: https://msdn.microsoft.com/en-us/library/cc223311.aspx
- How to Enable LDAPS in Active Directory (similar outcome to above): http://www.javaxt.com/tutorials/windows/how_to_enable_ldaps_in_active_directory
- DigiCert LDAPS certificate install guide: https://www.digicert.com/ssl-certificate-installation-microsoft-active-directory-ldap-2012.htm