If your network uses a non-public domain name then you can't simply buy a public trust SSL certificate if you want to install certificates on your domain controllers to use LDAPS. Usually the recommendation is to install a Microsoft Certificate Authority server on the network and roll your own certificates. However, that's additional servers to manage and it can open a large security hole if not done perfectly right.
Instead, we found several companies which will sell you a private certificate. The cost is roughly the same as a public SSL certificate, and it saves you the hassle of standing up PKI on your network. Since it's not a public trust certificate, you'll also receive a root and intermediate certificate with the certificate you buy. We use Entrust Datacard, and have been very happy with them.
On the domain controller you add the root and intermediate certificates to the computer account and the computer certificate into the private store for the ADDS service account. Any computer which will communicate with the server over a secure protocol will also need the root and intermediate certificates installed. Once the certificates are in place, the DC should immediately start accepting LDAPS connections
No comments:
Post a Comment