Reset Search
 

 

Article

KB9980 - Configuring Windows 2003 Server and the PCS for LDAPS

« Go Back

Information

 
Last Modified Date1/19/2016 3:36 PM
Synopsis
A step-by-step "HOW TO" on setting up Windows 2003 Server to accept LDAPS for authentication
Problem or Goal
Windows 2003 Server will not accept LDAPS authentication requests if a suitable certificate is not installed.
Cause
Solution

step1 On a Windows 2003 Server create the following text file:

 
;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------
 

step2 Within the .inf file, replace the subject line with your Domain Controllers FQDN.

Sample
SCREENSHOT_001
 

step3 Open up a command line prompt window (Start > Run > cmd) and change to the directory where the INF is saved.   Once there type the following:

certreq -new request.inf request.req

SCREENSHOT_002

The .req file is the Base64 CSR which will be submitted to the Certificate authority on the Domain Controller.
SCREENSHOT_003

step4 Submit the .req file. Although the Certificate Authority Snap-in for MMC can be used to submit the .req, this article utilizes the WebUI.

  • Log in to the Certificate Server.
    SCREENSHOT_004
  • Select Request a Certificate
    SCREENSHOT_005
  • Select Advanced Certificate Request
    SCREENSHOT_006
  • Select Submit a certificate request by using a base-64 encoded CMC or PCKS#10 file...
    SCREENSHOT_007
  • Using Notepad or a similar text editor, open the .req file. Select and copy the contents of the file.
    SCREENSHOT_008
  • Insert the copied contents of the .req file into the Base-64 encoded certificate request window displayed on the WebUI of the Certificate Server
    SCREENSHOT_009
     

    note: Web Server is selected in the Certificate Template section since it covers “Server Authentication”, which is the primary focus. Domain Controller and computer (other selectable options)also cover Server Authentication. This selection is not necessary for this example since the original .inf defined the purpose; see EnhancedKeyUsageExtension section of the original file.

 

step5 Download and save the certificate in Base 64 encoded format.

SCREENSHOT_010

step6 Open up a command line prompt window (Start > Run > cmd) and change to the directory where the certificate is saved. Accept the certificate using the following command:

certreq -accept certnew.cer

SCREENSHOT_011

step7 The certificate should be in the local computers personal store.

  • Open up the MMC by selecting Start > Run. 
  • Type MMC.   
  • Go to file, click on add/remove snap-in
  • Add the certificate snap in for the local computer.
  • Select the personal store and you should see the certificate.

    SCREENSHOT_012

step8 Reboot the Domain Controller.

 

step9 Once the domain controller is back up and running, export the CA certificate.

  • Log in to the Certificate Server and select Download a CA certificate
    SCREENSHOT_013
  • Select the CA certificate to download, then click Download CA Certificate
    SCREENSHOT_014
  • Save the certificate to the Windows 2003 server.
    SCREENSHOT_015

step10 Import the CA Certificate into the Trusted Server CA on the PCS.

  • From the PCS WebUI, select Configuration > Certificates > Trusted Server CAs

    SCREENSHOT_016
  • Insert the path to the .cer file, then click Import Certificate

    SCREENSHOT_017
  • The new CA certificate will display in the list of Trusted Server CAs

    SCREENSHOT_018

 

 

step11 From the WebUI, select Auth. Servers to change the LDAP server connection type to LDAPS and the Access port to 636. Save changes. LDAPS should now be working.

SCREENSHOT_019
Related Links
Attachment 1 
Created ByData Deployment

Feedback

 

Was this article helpful?


   

Feedback

Please tell us how we can make this article more useful.

Characters Remaining: 255