| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Configure Secure LDAP (LDAPS) in Azure AD Domain Services | Microsoft Docs |
Configure Secure LDAP (LDAPS) for an Azure AD Domain Services managed domain |
active-directory-ds |
mahesh-unnikrishnan |
stevenpo |
curtand |
c6da94b6-4328-4230-801a-4b646055d4d7 |
active-directory-ds |
identity |
na |
na |
article |
03/06/2017 |
maheshu |
This article shows how you can enable Secure Lightweight Directory Access Protocol (LDAPS) for your Azure AD Domain Services managed domain. Secure LDAP is also known as 'Lightweight Directory Access Protocol (LDAP) over Secure Sockets Layer (SSL) / Transport Layer Security (TLS)'.
To perform the tasks listed in this article, you need:
-
A valid Azure subscription.
-
An Azure AD directory - either synchronized with an on-premises directory or a cloud-only directory.
-
Azure AD Domain Services must be enabled for the Azure AD directory. If you haven't done so, follow all the tasks outlined in the Getting Started guide.
-
A certificate to be used to enable secure LDAP.
- Recommended - Obtain a certificate from a trusted public certification authority. This configuration option is more secure.
- Alternately, you may also choose to create a self-signed certificate as shown later in this article.
Acquire a valid certificate per the following guidelines, before you enable secure LDAP. You encounter failures if you try to enable secure LDAP for your managed domain with an invalid/incorrect certificate.
- Trusted issuer - The certificate must be issued by an authority trusted by computers that need to connect to the domain using secure LDAP. This authority may be a public certification authority trusted by these computers.
- Lifetime - The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
- Subject name - The subject name on the certificate must be a wildcard for your managed domain. For instance, if your domain is named 'contoso100.com', the certificate's subject name must be '*.contoso100.com'. Set the DNS name (subject alternate name) to this wildcard name.
- Key usage - The certificate must be configured for the following uses - Digital signatures and key encipherment.
- Certificate purpose - The certificate must be valid for SSL server authentication.
Note
Enterprise Certification Authorities: Azure AD Domain Services does not currently support using secure LDAP certificates issued by your organization's enterprise certification authority. This restriction is because the service does not trust your enterprise CA as a root certification authority. We expect to add support for enterprise CAs in the future. If you absolutely must use certificates issued by your enterprise CA, contact us for assistance.
The first task involves obtaining a certificate used for secure LDAP access to the managed domain. You have two options:
- Obtain a certificate from a certification authority. The authority may be a public certification authority.
- Create a self-signed certificate.
If your organization obtains its certificates from a public certification authority, you need to obtain the secure LDAP certificate from that public certification authority.
When requesting a certificate, ensure that you follow the requirements outlined in Requirement for the secure LDAP certificate.
Note
Client computers that need to connect to the managed domain using secure LDAP must trust the issuer of the secure LDAP certificate.
If you do not expect to use a certificate from a public certification authority, you may choose to create a self-signed certificate for secure LDAP.
Create a self-signed certificate using PowerShell
On your Windows computer, open a new PowerShell window as Administrator and type the following commands, to create a new self-signed certificate.
$lifetime=Get-Date
New-SelfSignedCertificate -Subject *.contoso100.com -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.contoso100.com
In the preceding sample, replace '.contoso100.com' with the DNS domain name of your Azure AD Domain Services managed domain (so for example if you created a DNS domain name for AD Domain Services called 'contoso100.onmicrosoft.com' you will want to replace '.contoso100.com' in the above script with '*.conotoso100.onmicrosoft.com').
The newly created self-signed certificate is placed in the local machine's certificate store.
Before you start this task, ensure that you have obtained the secure LDAP certificate from a public certification authority or have created a self-signed certificate.
Perform the following steps, to export the LDAPS certificate to a .PFX file.
-
Press the Start button and type R. In the Run dialog, type mmc and click OK.
-
On the User Account Control prompt, click YES to launch MMC (Microsoft Management Console) as administrator.
-
From the File menu, click Add/Remove Snap-in....
-
In the Add or Remove Snap-ins dialog, select the Certificates snap-in, and click the Add > button.
-
In the Certificates snap-in wizard, select Computer account and click Next.
-
On the Select Computer page, select Local computer: (the computer this console is running on) and click Finish.
-
In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
-
In the MMC window, click to expand Console Root. You should see the Certificates snap-in loaded. Click Certificates (Local Computer) to expand. Click to expand the Personal node, followed by the Certificates node.
-
You should see the self-signed certificate we created. You can examine the properties of the certificate to ensure the thumbprint matches that reported on the PowerShell windows when you created the certificate.
-
Select the self-signed certificate and right click. From the right-click menu, select All Tasks and select Export....
-
In the Certificate Export Wizard, click Next.
-
On the Export Private Key page, select Yes, export the private key, and click Next.
[!WARNING] You MUST export the private key along with the certificate. If you provide a PFX that does not contain the private key for the certificate, enabling secure LDAP for your managed domain fails.
-
On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate.
[!NOTE] Only the .PFX file format is supported. Do not export the certificate to the .CER file format.
-
On the Security page, select the Password option and type in a password to protect the .PFX file. Remember this password since it will be needed in the next task. Click Next to proceed.
[!NOTE] Make a note of this password. You need it while enabling secure LDAP for this managed domain in Task 3 - Enable secure LDAP for the managed domain
-
On the File to Export page, specify the file name and location where you'd like to export the certificate.
-
On the following page, click Finish to export the certificate to a PFX file. You should see confirmation dialog when the certificate has been exported.
To enable secure LDAP, perform the following configuration steps:
-
Navigate to the Azure classic portal.
-
Select the Active Directory node on the left pane.
-
Select the Azure AD directory (also referred to as 'tenant'), for which you have enabled Azure AD Domain Services.
-
Click the Configure tab.
-
Scroll down to the section titled domain services. You should see an option titled Secure LDAP (LDAPS) as shown in the following screenshot:
-
Click the Configure certificate ... button to bring up the Configure Certificate for Secure LDAP dialog.
-
Click the folder icon below PFX FILE WITH CERTIFICATE to specify the PFX file, which contains the certificate you wish to use for secure LDAP access to the managed domain. Also enter the password you specified when exporting the certificate to the PFX file. Then, click the done button on the bottom.
-
The domain services section of the Configure tab should get grayed out and is in the Pending... state for a few minutes. During this period, the LDAPS certificate is verified for accuracy and secure LDAP is configured for your managed domain.
[!NOTE] It takes about 10 to 15 minutes to enable secure LDAP for your managed domain. If the provided secure LDAP certificate does not match the required criteria, secure LDAP is not enabled for your directory and you see a failure. For example, the domain name is incorrect, the certificate has already expired or expires soon.
-
When secure LDAP is successfully enabled for your managed domain, the Pending... message should disappear. You should see the thumbprint of the certificate displayed.
Optional task - If you do not plan to access the managed domain using LDAPS over the internet, skip this configuration task.
Before you begin this task, ensure you have completed the steps outlined in Task 3.
-
You should see an option to ENABLE SECURE LDAP ACCESS OVER THE INTERNET in the domain services section of the Configure page. This option is set to NO by default since internet access to the managed domain over secure LDAP is disabled by default.
-
Toggle ENABLE SECURE LDAP ACCESS OVER THE INTERNET to YES. Click the SAVE button on the bottom panel.
-
The domain services section of the Configure tab should get grayed out and is in the Pending... state for a few minutes. After some time, internet access to your managed domain over secure LDAP is enabled.
[!NOTE] It takes about 10 minutes to enable internet access over secure LDAP for your managed domain.
-
When secure LDAP access to your managed domain over the internet is successfully enabled, the Pending... message should disappear. You should see the external IP address that can be used to access your directory over LDAPS in the field EXTERNAL IP ADDRESS FOR LDAPS ACCESS.
Optional task - If you do not plan to access the managed domain using LDAPS over the internet, skip this configuration task.
Before you begin this task, ensure you have completed the steps outlined in Task 4.
Once you have enabled secure LDAP access over the internet for your managed domain, you need to update DNS so that client computers can find this managed domain. At the end of task 4, an external IP address is displayed on the Configure tab in EXTERNAL IP ADDRESS FOR LDAPS ACCESS.
Configure your external DNS provider so that the DNS name of the managed domain (for example, 'ldaps.contoso100.com') points to this external IP address. In our example, we need to create the following DNS entry:
ldaps.contoso100.com -> 52.165.38.113
That's it - you are now ready to connect to the managed domain using secure LDAP over the internet.
Warning
Remember that client computers must trust the issuer of the LDAPS certificate to be able to connect successfully to the managed domain using LDAPS. If you are using an enterprise certification authority or a publicly trusted certification authority, you do not need to do anything since client computers trust these certificate issuers. If you are using a self-signed certificate, you need to install the public part of the self-signed certificate into the trusted certificate store on the client computer.