Home / Articles / General / Installing LDAP over SSL (LDAPS) on server 2008R2/server 2012

Installing LDAP over SSL (LDAPS) on server 2008R2/server 2012

Installing LDAP over SSL (LDAPS) on server 2008R2/server 2012

  1. Add the following role (do this on a member server, it’s not recommended to install a CA on a DC)
    1. Active Directory Certificate Services
    2. In role services just select Certification authority and nothing else
    3. Setup type will be enterprise
    4. CA type will be RootCA (assuming you just have one CA)
    5. Create a new private key
    6. Comman name for the CA should be the FQDN (i.e contoso.local)
    7. Validity period should be a good time, we usually recommend 5 years
    8. Now finish the install with the default settings
    9. Publishing a Certificate that Supports Server Authentication
      1. On the server you installed the Certification Authority computer, open the Certificates console or Certsrv console. To open Certsrv, click Start. Type certsrv.msc and then click OK.
      2. Ensure that Certification Authority is expanded as well as the name of the certification authority.
      3. Right-click Certificate Templates and then click Manage.
      4. In the Certificate Templates Console, right-click Kerberos Authentication and then select Duplicate Template. You don’t have to use the Kerberos template. You can create your own or use one of the existing templates that has Server Authentication as a purpose, such as Domain Controller AuthenticationDomain ControllerWeb Server, and Computer. Important: You should be planning on having only one certificate on each LDAP server (i.e. domain controller or AD LDS computer) with the purpose of Server Authentication.
      5. On the Duplicate Template dialog box, leave the default selected Windows Server 2003 Enterprise selected and then click OK.
      6. The Properties of New Template appear. Ensure that settings are as you want them to be for this certificate template. Pay close attention to ensure that the Template display name is set to an appropriate name (i.e LDAPoverSSL) along with the following settings:
        1.                                           i.    Validity and Renewal periods are set according to your organization’s security policy
        2.                                          ii.    Key lengths are appropriate
        3.                                         iii.    Select whether you want to place the certificate in Active Directory
        4.                                         iv.    Subject Name tab: DNS name and Service principal name (SPN) are selected
  2. If you plan to import the certificate into the Active Directory Domain Services certificate store, then should also mark the private key as exportable.
  3. Click OK.
  4. Return to the Certificates or Certsrv console and in the details pane of Certificate Templates, right-click an open area of the console, click New, and then click Certificate Template to Issue.
  5.  In the Enable Certificate Templates dialog box, select the name of the new template you created and then click OK.


  1. Either wait for GPO to replicate or do a gpupdate /force on your DCs.  We find that the GPOs will propagate the CA after some time but if you need it faster than do a gpupdate force
  2. Test and see if ldaps is working properly
  3. Launch ldp.exe from start run or cmd
    1. click connections
    2. connect
    3. for server type in the domain name (i.e. contoso.local)
    4. port is 636 (this is the default for ldaps unless you changed it)
    5. check SSL
    6. click connect
    7. it should connect with no issues.  If you click on connections and the connect button is grayed out and you can only click disconnect you know it works.  If this is not the case you will need to call us to fix it or look into your logs.

Anonymous bind

You may find that you have ldaps working properly but some tools will not integrate properly with AD/ldaps.  This is most common in linux devices or other devices that you cant push ssl certificates to.  What we recommend for this is to turn on anonymous bind temporarily until the connection is made and then disable it again.  AD disables this by default.

To get this working do the following:

  1. Click Start, point to Administrative Tools, and then click ADSI Edit.
  2. Connect and bind to the configuration directory partition of the AD LDS instance on which you want to allow anonymous LDAP binding.
  3. In the console tree, double-click the configuration directory partition (CN=Configuration,CN={GUID}), double-click the services container (CN=Services), double-click the Windows NT container (CN=Windows NT), right-click the directory service container (CN=Directory Service), and then click Properties.
  4. In Attributes, click dsHeuristics, and then click Edit.
  5. In Value, modify the value of the seventh character in the attribute (counting from the left) to 2, as follows:


  1. Click OK twice.



Comment on Installing LDAP over SSL (LDAPS) on server 2008R2/server 2012

Leave a Reply

Contact Us