Announcement

Collapse
No announcement yet.

Configure SSL for Active Directory

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Configure SSL for Active Directory

    Hello,

    I've read quite a number of articles related to enabling SSL for Active Directory/LDAP, including KB articles at Microsoft's website, but I still have some questions.

    We have a Windows 2000 domain (hopefully going to 2008 R2 this year finally!) that consists of (2) Windows 2000 domain controllers and (2) Windows 2003 domain controllers. We recently acquired a single sign-on appliance that requires that Active Directory have SSL enabled to allow password changes. Given this information, here are my questions:

    1) Assuming I use a 3rd party CA, do I need to install an SSL certificate on each domain controller? Can I normally point the single-sign on appliance to one domain controller and that would suffice?

    2) If I instead choose to install Certificate Services on a domain controller and choose the Enterprise root CA type, does the SSL certificate automatically get shared with the other domain controllers, including the 2000 and 2003 servers?

    3) In either of the scenarios above, do my Windows clients automatically accept the SSL certificates somehow, or does each Windows client in the domain need to import the certificate?

    4) Is there any scenario in which enabling SSL in Active Directory would prevent my Windows clients' ability to function or communicate with the domain controllers?

    Thanks everyone!

  • #2
    Re: Configure SSL for Active Directory

    1)http://support.microsoft.com/kb/321051
    Multiple certificates are required since each certificate contains the FQDN.

    2)http://support.microsoft.com/kb/247078
    Enabling SSL
    Install an Enterprise Certificate Authority on a Windows 2000 server. All Domain Controllers in the forest will automatically enroll for and install the appropriate certificate.

    When you install an Enterprise Certificate Authority, all Domain Controllers automatically request a certificate and can support LDAP using SSL port 636.
    3/4) each client needs to trust the root CA, but I recommend you to test it carefully.
    Also before configure this you really need to think about it. Do you want a 2-tier or maybe a 3-tier PKI environment, are you sure you want to install the CA on a DC? Isn't it better to wait until the implementation of Windows Server 2008 is completed since a PKI migration isn't very easy to do.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Configure SSL for Active Directory

      Thanks for your response. To be honest, I'm looking for the simplest solution to address the request by management to enable our single-sign on appliance to be able to reset users' passwords, which requires SSL be enabled for Active Directory.

      In reading through a lot of online documentation, it seemed like using Certificate Services on a domain controller was the way to go. Is there a reason why you wouldn't recommend doing this?

      Unfortunately I don't have a test domain to test this in. Although not free, would using a 3rd party CA such as Verisign be the easier way of doing this? Assuming I go this route, would my Windows domain clients automatically start using LDAP over SSL?

      Thanks again.

      Comment


      • #4
        Re: Configure SSL for Active Directory

        1. Yes you can go with just one DC, but this route is expensive and unnecessary if all your clients are internal.

        2. Yes

        3. Yes, you can controll autoenrollment of CA and Identity certificates via GPO settings.

        4. No

        Comment


        • #5
          Re: Configure SSL for Active Directory

          Originally posted by Garen View Post
          1. Yes you can go with just one DC, but this route is expensive and unnecessary if all your clients are internal.

          2. Yes

          3. Yes, you can controll autoenrollment of CA and Identity certificates via GPO settings.

          4. No
          Thanks. If we go with just one DC, why do you say it would be an expensive route? Aren't we talking about a couple hundred dollars for an SSL cert, or am I missing something?

          Comment


          • #6
            Re: Configure SSL for Active Directory

            I guess its not, a few hundred a year doesn't sound bad.

            Comment


            • #7
              Re: Configure SSL for Active Directory

              Cheap SSL Certificates:

              http://certificatesforexchange.com/

              http://www.godaddy.com/
              1 1 was a racehorse.
              2 2 was 1 2.
              1 1 1 1 race 1 day,
              2 2 1 1 2

              Comment

              Working...
              X