In an on-premises Active Directory environment, there can be application or service which required integration with Active Directory. With AD integration, the application can search for AD users, allow login, assign permissions, etc. This integration part is usually done using the Lightweight Directory Access Protocol (LDAP). By default, traffic over LDAP is not encrypted. Due to the vulnerabilities, Microsoft now recommends only to use secure LDAP (LDAPS, LDAP over SSL) connections to Domain Controllers.
Azure Active Directory Domain Services (Azure AD DS) also support for secure LDAP connections. Most of the time the LDAP connection to Azure AD DS will be initiated over the public internet. So, it is important to have encryption in place to prevent man-in-the-middle attacks.
In this post, I am going to demonstrate how to enable secure LDAP for Azure AD DS. Before we start make sure you have the following prerequisites in place.
1. Valid Azure Subscription
2. Valid Azure Active Directory Domain Services (Azure AD DS) setup – I assume you already have Azure AD DS configured. More info about Azure AD DS setup can find under https://docs.microsoft.com/en-us/azure/active-directory-domain-services/tutorial-create-instance
3. Valid SSL certificate – We need a valid SSL certificate to enable secure LDAP. If Azure AD DS uses custom domain name, we can use public CA (3rd party) or enterprise CA to issue a certificate for it. If Azure AD DS is using Microsoft default domain .onmicrosoft.com, we have to use self-sign certificate for it as public CA can’t issue certs for the default domain. In this demo, I will be using a self-sign certificate for the configuration.
4. Test PC – We need a PC to test the secure LDAP connectivity.
Before we enable secure LDAP, we need to create a certificate for it. In this demo, my Azure AD DS instance is using default Microsoft domain name rebeladmlive.onmicrosoft.com. So, I have to use a self-sign certificate for it. To generate a self-sign certificate, we can use the following PowerShell commands. This can be run from any PC.
New-SelfSignedCertificate -Subject *.$domainname -NotAfter $certlife.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.$domainname, $domainname
In above, replace rebeladmlive.onmicrosoft.com with your Azure AD DS instance name. As we can see, it created a wild card SSL for rebeladmlive.onmicrosoft.com under Computer account.
We need to export this certificate as .PFX file with private key to,
1. Use it during the secure LDAP setup and upload it to Azure
2. Import it to any other PC which like to initiate secure LDAP connection (The certificate must be imported into Computer Account\Personal\Certificates as well as Trusted Root Certification Authorities\Certificates. This is because the certificate is self-sign cert and it doesn’t have trusted root certificate)
To export certificate,
1. Right-click on the certificate and go to All Tasks | Export
2. It will open up the certificate export wizard, click on Next to start the process.
3. In the next window select Yes, export the private key, and click on Next.
4. In the Export file format window, match the following selection, and click on Next.
5. In the next window, define the password for the export file and click on Next.
6. Then, select the file path for the output and click on Next.
7. In the next window, click on Finish to complete the Export process.
Now we have the .PFX file. The next step is to import it again to Trusted Root Certification Authorities\Certificates. This is required as we are using a self-sign certificate for the exercise.