KB9980 - Configuring Windows 2003 Server and the PCS for LDAPS

A step-by-step "HOW TO" on setting up Windows 2003 Server to accept LDAPS for authentication

Windows 2003 Server will not accept LDAPS authentication requests if a suitable certificate is not installed.

On a Windows 2003 Server create the following text file:

 

;----------------- request.inf -----------------

[Version]

Signature="$Windows NT$

[NewRequest]

Subject = "CN=" ; replace with the FQDN of the DC
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]

OID=1.3.6.1.5.5.7.3.1 ; this is for Server Authentication

;-----------------------------------------------

 

Within the .inf file, replace the subject line with your Domain Controllers FQDN.

Sample

 

Open up a command line prompt window (Start > Run > cmd) and change to the directory where the INF is saved.   Once there type the following:

certreq -new request.inf request.req



The .req file is the Base64 CSR which will be submitted to the Certificate authority on the Domain Controller.

Submit the .req file. Although the Certificate Authority Snap-in for MMC can be used to submit the .req, this article utilizes the WebUI.

• Log in to the Certificate Server.
  
• Select Request a Certificate
  
• Select Advanced Certificate Request
  
• Select Submit a certificate request by using a base-64 encoded CMC or PCKS#10 file...
  
• Using Notepad or a similar text editor, open the .req file. Select and copy the contents of the file.
  
• Insert the copied contents of the .req file into the Base-64 encoded certificate request window displayed on the WebUI of the Certificate Server
  
   

  Web Server is selected in the Certificate Template section since it covers “Server Authentication”, which is the primary focus. Domain Controller and computer (other selectable options)also cover Server Authentication. This selection is not necessary for this example since the original .inf defined the purpose; see EnhancedKeyUsageExtension section of the original file.

 

Download and save the certificate in Base 64 encoded format.

Open up a command line prompt window (Start > Run > cmd) and change to the directory where the certificate is saved. Accept the certificate using the following command:

certreq -accept certnew.cer

The certificate should be in the local computers personal store.

• Open up the MMC by selecting Start > Run. 
• Type MMC.   
• Go to file, click on add/remove snap-in
• Add the certificate snap in for the local computer.
• Select the personal store and you should see the certificate.
  
  

Reboot the Domain Controller.

 

Once the domain controller is back up and running, export the CA certificate.

• Log in to the Certificate Server and select Download a CA certificate
  
• Select the CA certificate to download, then click Download CA Certificate
  
• Save the certificate to the Windows 2003 server.
  

Import the CA Certificate into the Trusted Server CA on the PCS.

• From the PCS WebUI, select Configuration > Certificates > Trusted Server CAs
  
  
• Insert the path to the .cer file, then click Import Certificate
  
  
• The new CA certificate will display in the list of Trusted Server CAs
  
  

 

 

 From the WebUI, select Auth. Servers to change the LDAP server connection type to LDAPS and the Access port to 636. Save changes. LDAPS should now be working.