Background and References
So, today I’m going to discuss implementing certificates for Secure LDAP on Active Directory Domain Controllers.
First of all, some helpful links. This article talks about the requirements for secure LDAP as listed below:
- The LDAPS certificate is located in the Local Computer’s Personal certificate store (programmatically known as the computer’s MY certificate store).
- A private key that matches the certificate is present in the Local Computer’s store and is correctly associated with the certificate. The private key must not have strong private key protection enabled.
- The Enhanced Key Usage extension includes the Server Authentication (1.3.6.1.5.5.7.3.1) object identifier (also known as OID).
- The Active Directory fully qualified domain name of the domain controller (for example, DC01.DOMAIN.COM) must appear in one of the following places:
- The Common Name (CN) in the Subject field.
- DNS entry in the Subject Alternative Name extension.
- The certificate was issued by a CA that the domain controller and the LDAPS clients trust. Trust is established by configuring the clients and the server to trust the root CA to which the issuing CA chains.
- You must use the Schannel cryptographic service provider (CSP) to generate the key
Enable LDAP over SSL – Windows Server | Microsoft Docs
This article goes into detail and covers many of the topics I will cover in this blog posting:
Deciding on a Certificate Template
So, as seen above the most significant requirement is that the Secure LDAP certificate have Server Authentication as it’s purpose. But, there are other reasons why you may have a certificate on a Domain Controller such as for supporting services like Smart Card Logon or Windows Hello for Business (WHfB). So, you may want some additional application policies supported in the certificate you are going to issue to Domain Controllers. There are 3 certificate templates designed for use on Domain Controllers. Keep in mind technically you could use a Web Server Certificate Template to support LDAP over TLS. But the section above will provide reasons why to use one of the three templates designed for use on a Domain Controller.
Certificate Templates
Originally, there was a Domain Controller certificate template (Windows Server 2000) that is a version 1 template, then in Windows Server 2003 the Domain Controller Authentication certificate template was released, and finally in Windows Server 2008 the Kerberos Authentication certificate template became available. The latter two are version 2 templates by default.
Application Policies
The table below shows the Application Policies (purposes) for the 3 templates. Of course you can always duplicate these templates and add or remove whatever Application Policies that you want to add or remove.
| Certificate Template | Purpose 1 | Purpose 2 | Purpose 3 | Purpose 4 |
| Domain Controller | Server Authentication | Client Authentication | ||
| Domain Controller Authentication | Server Authentication | Client Authentication | Smart Card Logon | |
| Kerberos Authentication | Server Authentication | Client Authentication | Smart Card Logon | KDC Authentication |
Subject Alternative Names
Additionally, the different templates come with a different Subject and SAN configuration. The table below displays the SANs available in the Certificate Templates. I am not concerned with the subjects, because applications like TLS will ignore the subject if the SAN is present and populated.
| Certificate Template | SAN 1 | SAN 2 | SAN 3 |
| Domain Controller | DS Object Guid | DC Name (DNS) | |
| Domain Controller Authentication | DC Name (DNS) | ||
| Kerberos Authentication | AD Domain (DNS) | AD Domain (Shortname) | DC Name (DNS) |
So, the typical SAN for a Domain Controller certificate will look like:
Other Name:
DS Object Guid=04 10 59 5a 08 29 a7 9a 00 43 a2 75 f3 62 6e aa 62 0b
DNS Name=FCDC01.fourthcoffee.com
The typical SAN for a Domain Controller Authentication certificate will look like:
DNS Name=FCDC01.fourthcoffee.com
And finally, the SAN for a Kerberos Authentication certificate will look like the following:
DNS Name=FCDC01.fourthcoffee.com
DNS Name=fourthcoffee.com
DNS Name=FOURTHCOFFEE
As you see the Kerberos Authentication certificate has the most Application Policies and SANs, and hence it is most likely to support almost any application you need to support, both now and in the future. So, this is the template that you would use in most scenarios.
Deployment Scenarios
There really are 3 deployment scenarios. Depending on your environment it is possible that you could utilize all 3 if some of your domain controllers have other certificates installed that you need to continue to use. These include Autoenrollment using Certificate Template Supplied Names, Using Custom SANs with Automatic Renewal, Manual Deployment of Certificates to the NTDS Store.
Autoenrollment
Most of the configuration options use autoenrollment, so I am going to briefly describe autoenrollment and how to deploy autoenrollment to domain controllers, here. If you would like more information on autoenrollment, I have a video that covers this topic.
Basically, this will be an abbreviated discussion of Autoenrollment. Autoenrollment allows automatic enrollment an automatic renewal of certificates. The autoenrollment itself has some additional functionality, but I most likely won’t discuss that in this posting. To implement autoenrollment there are many requirements, from a certificate template perspective.
The steps below can be used to implement Autoenrollment for Domain Controllers. This walkthrough covers creating a new GPO on the Domain Controllers container.
Step 1: Open the Group Policy Management Console (GPMC.msc) as a user that can create new GPOs and link them to the Domain Controllers container.
Step 2: Right-click on the Domain Controllers OU and from the context menu select Create a GPO in this domain, and Link it here…
Step 3: Give the new GPO a Name and the click OK
Step 4: Right-click on the new GPO and select Edit from the context menu
Step 5: Navigate to Computer Configuration\Windows Settings\Security Settings\Public Key Policies
Step 6: Locate and open the following setting: Certificate Services Client – Auto-Enrollment
Step 7: Change the Configuration Model to Enabled
Step 8: Enable the settings Renew expired certificates, update pending certificates, and remove revoked certificates and Update Certificates that use certificate templates
Autoenrollment using Certificate Template Supplied Names
Configure Autoenrollment
See the Autoenrollment section above.
Configuring the Certificate Template and the CA
So, if you are happy with the SANs that the Kerberos Authentication template provides, and you do not have Server Authentication certificates on any of your domain controllers. Then congratulations, you get to use the easiest option. The easiest option is deploying the Kerberos Authentication certificate template with Autoenrollment.
Step 1: Open the Certification Authority MMC (certsrv.msc)
Step 2: Navigate to Certificate Templates
Step 3: Right-click on Certificate Templates and select Manage from the context menu
Step 4: Right-click on the Kerberos Authentication Certificate Template and select Duplicate Template
Step 5: Navigate to the General Tab and name the Certificate Template and click OK
Step 6: Return to the Certification Authority MMC
Step 7: Right-click on Certificate Templates and from the context menu select New and Certificate Template to Issue
Step 8: Select the Certificate Template that was just created
The template is now available for enrollment
If you want to test enrollment and not wait for the autoenrollment client to run, you can login to the DC and run: certutil -pulse
The certificate should now be installed on the DC
Using Custom SANs with Automatic Renewal
So, the process for using custom SANs requires an initial manual enrollment. However, you can use a PowerShell cmdlet for the initial enrollment allowing you to potentially automate the initial enrollment. The Kerberos Authentication Certificate Template as mentioned above puts the DC FQDN and the Domain DN and NETBIOS name in the certificate. In the example below, we are going to request these and in addition to these SANs we are going to request the DNS name LDAPS.<Domain>. In my example, the domain is FourthCoffee.com, so the custom SAN will be LDAPS.fourthcoffee.com.
Configure Autoenrollment
See the Autoenrollment section above.
Configure the Certificate Template
Configuring the Certificate Template and the CA
Step 1: Launch certtmpl.msc
Step 2: Right-click on the Kerberos Authentication certificate template and select Duplicate Template from the context
Step 3: Give the certificate template a unique name, then click Apply
Step 4: Navigate to the Compatibility tab
Step 5: Change the Certification Authority to Windows Server 2012
Step 6: Acknowledge the resulting changes click OK
Step 7: Change Certificate recipient to: Windows 8 / Windows Server 2012
Step 8: Acknowledge the resulting changes, by clicking OK
Step 9: Click Apply
Step 10: Navigate to the Subject Name tab and change the setting to Supply in the request
Step 11: When prompted about the security concerns, click OK. Note: From a security perspective you really should require Certificate Manager approval when allowing the requester to supply the subject name. The limitation is if we did that in this situation we would be unable to automatically renew the certificates. A mitigation could be to continually review issued certificates and make sure the identities requested make sense and do not violate any security policy.
Step 12: Click OK
Step 13: Go to the Certification Authority MMC, and on the Certificate Templates container right-click and select New and then Certificate Template to Issue
Step 14: Select the certificate template you just created and click OK
The template should now be available on the CA
Manually Requesting the Initial Certificate
So, there are some options here. Of course manually requesting the certificate on each DC is not a scalable solution. However, since this request can be done via PowerShell this enrollment can be initiated by a Script that is initialized by whatever configuration management software you use for Domain Controllers.
Run the following command: Get-Certificate -Template <Certificate Template you created> -DnsName <list of DNS names, separated by a comma> -CertStoreLocation cert:\LocalMachine\My
AN example would be: Get-Certificate -Template “OfflineKerberosAuhentication” -DnsName FCDC01.fourthcoffee.com,FourthCoffee.com,FourthCoffee,LDAP.fourthcoffee.com -CertStoreLocation cert:\LocalMachine\My
You will now see the certificate in the Computer Certificate Store
Optional Testing Steps for Test Environment
If you are setting this up in a pre-production environment and want to verify the autoenrollment works, follow these steps.
Step 1: Just open up the Certificate Template MMC and then right-click on the template and select Reenroll All Certificate Holders and this will cause DCs that have received a certificate to renew the certificate.
Step 2: Run certutil -pulse
Step 3: Log on to one of the Domain Controllers and verify the certificate has been renewed
Manual Deployment of Certificates to the NTDS Store
One issue that can arise is when Domain Controllers have more then one certificate with the Application Policy of Server Authentication. In this case the first certificate that has Server Authentication will be used. This can lead to undesired certificate selection. If there are multiple Server Authentication certificates you can force the selection of the desired certificate by putting the certificate in the NTDS store. The steps below will cover how to deploy certificates to the NTDS store. The disadvantage to putting certificates in this store is that it is a very manual process.
Configuring the Certificate Template and the CA
Step 1: Open the Certificate Template MMC
Step 2: Right-click o the Kerberos Authentication certificate template
Step 3: Select Duplicate Template from the context menu
Step 4: Name the certificate template and the click Apply
Step 5: Remove Autoenroll permissions from Enterprise Read-only Domain Controllers
Step 6: Remove Autoenroll permissions from Domain Controllers
Step 7: Remove Autoenroll permissions from ENTERPRISE DOMAIN CONTROLLERS
Step 8: Navigate to the Request Handling tab and select Allow private key to be exported
Step 9: Open the Certification Authority MMC
Step 10: Navigate to Certificate Templates
Step 11: Right-click on Certificate Templates and from the context menu select New and then Certificate Template to Issue
Step 12: Select the certificate template that you created and click OK
The Certificate Template is now on the CA
Requesting the Certificate
Step 1: Open certlm.msc on the Domain Controller
Step 2: Right-click on Personal or if it exists the Certificate folder underneath Personal
Step 3: From the context menu select All Tasks and the Request New Certificate…
Step 4: This will open the Certificate Enrollment wizard
Step 5: Click Next
Step 6: On the Select Certificate Enrollment Policy page, click Next
Step 7: On the Request Certificates page of the wizard, select the certificate template you created
Step 8: On the Certificate Installation Results page, click Finish
Exporing the Certificate
Step 1: Locate the certificate
Step 2: Right-click on the certificate and from the context menu select All Tasks and then Export…
Step 3: When the Certificate Export Wizard opens click Next
Step 4: On the Export Private Key page of the wizard, select Yes, export the private key
Step 5: Deselect Include all certificates in the certification path if possible and select Delete the private key if the export is successful
Step 6: Click Next
Step 7: Select Password and enter a password
Step 8: Click Next
Step 9: On the File to Export page of the wizard, click Browse…
Step 10: Enter a name for the file and click Save
Step 11: Click Next
Step 12: On the final page of the wizard, click Finish
Step 13: Click OK
Importing the Certificate Into the DS Store
Step 1: Open mmc.exe
Step 2: Click on File and then Add/Remove Snap-in…
Step 3: Select Certificates and then click Add
Step 4: Select Service Account and then click Next
Step 5: Keep Local Computer selected and then click Next
Step 6: Select Active Directory Domain Services, and click Finish
Step 7: Click OK
Importing the Certificate
Step 1: Right-click on NTDS\Personal
Step 2: Select All Tasks and then Import…
Step 3: When the Certificate Import Wizard opens, click Next
Step 4: On the File to import page of the wizard, click Browse…
Step 5: Browse to the PFX file you previously created and click Open
Step 6: Click Next
Step 7: Enter the password and click Next
Step 8: On the Certificate Store accept the default and click Next
Step 9: Click Finish to complete the wizard
Step 10: Click OK
The certificate with now be in the DS Store
Superseding Certificate Templates
One thing I intentionally left out is superseding Certificate Templates, because it may not apply in situations where you have not issues certain types of certificates. But if you have previously issued Domain Controller or Domain Controller Authentication certificates you will want to supersede them. When you do this the previously issued Domain Controller and Domain Controller Authentication certificates will be archived on the Domain Controllers.
To supersede the Domain Controller and Domain Controller Authentication certificates, follow these steps while creating your certificate templates in the previous sections:
Step 1: Navigate to the Superseded Templates tab
Step 2: Select Domain Controller and Domain Controller Authentication certificate templates and click OK
Step 3: Click OK
-Chris
xdot509.blog 