This page shows you how to enable LDAP over SSL/TLS (LDAPS) for Managed Service for Microsoft Active Directory(Managed Microsoft AD) to make your LDAP traffic confidential and secure. Bydefault, the communication between Managed Microsoft AD and clientapplications is not encrypted for simple LDAP binds.
To enable LDAPS, you must have a certificate. This page also describes thespecifications for the required certificate and how to verify and monitor it.
Request a certificate
You can request a certificate from a Public Certificate Authority (CA), Enterprise CA,Google Cloud Certificate Authority Service or use aself-signed certificate. If you use a self-signed certificate, follow theMicrosoft documentation linked to the PowerShell commands in the followingsections.
You can create a self-signed certificate with the New-SelfSignedCertificate
command on Windows, OpenSSL, or MakeCert.
Certificate requirements
Your certificate must meet the following requirements:
- The following table outlines the requirements for creating a self-signedcertificate and lists the associated parameters used in the
New-SelfSignedCertificate
command.Note that the parameter or field names can vary based on how you create thecertificate.
Parameter | Description |
---|---|
Subject (subject name) | It must be the wildcard-prefixed name of your Managed Microsoft AD domain to ensure that the service remains available during an upgrade or restore process. This is because domain controllers use random names that change during an upgrade or restore process. For example, if the domain name is ad.mycompany.com , the subject name must be CN=*.ad.mycompany.com |
DnsName (DNS name or subject alternative name) | It must include only the following:"CN=*.ad.mycompany.com","CN=.ad.mycompany.com" |
KeySpec | It must be set to 1 which denotes that it can be used for both digital signature and key exchange. |
KeyLength | The minimum key size depends on the cryptographic algorithm. |
KeyUsage | It must include "digital signatures" and "key encipherment". |
TextExtension or EnhancedKeyUsageExtension | It must have OID=1.3.6.1.5.5.7.3.1 for server authentication. |
NotBefore | The time from which the certificate is valid. The certificate must be valid when enabling LDAPS. |
NotAfter | The time after which the certificate is not valid. The certificate must be valid when enabling LDAPS. |
KeyAlgorithm (signature algorithm) | Weak signature algorithms like SHA-1, MD2, MD5 are not supported. |
Issuing chain: The entire certificate chain must be uploaded and must bevalid. The chain must be linear and cannot have multiple chains.
Certificate format: The format must meet Public-Key CryptographyStandards (PKCS) #12. You must use a PFX file.
Request from a Public CA or Enterprise CA
To request a certificate from a Public CA or Enterprise CA,follow thesesteps.
Accept the certificate on the same VM where the request is generated.
Export the certificate in PKCS #12 format
To export the certificate in PKCS #12 format (as a PFX file), complete thefollowing steps:
In Windows, navigate to your certificates in the Microsoft ManagementConsole(MMC).
Expand Local Computer Certificates, and navigate toPersonal> Certificates.
Right-click the certificate you created to enable LDAPS, and selectAll Tasks> Export.
In the Certificate Export Wizard dialog that appears, click Next.
On the Export Private Key page, select Yes to export the privatekey.
On the Export File Format page, select Personal Information Exchange -PKCS #12 (.PFX) and Include all certificates in the certification pathif possible checkbox. Click Next.
On the Security page, select Password checkbox and enter a strongpassword to protect the certificate. Click Next. This password isrequired when configuring LDAPS on your Managed Microsoft AD domain.
On the File to Export page, enter the destination name and path for thePFX file to export. Click Next.
Click Finish.
To export a self-signed certificate with the private key in PKCS #12 format as aPFX file, use the Export-PfxCertificate
commandand to export the self-signed certificate as a PEM file, use theExport-Certificate
command.
Distribute the issuer chain to client computers
For LDAPS to function, all client computers must trust the issuer of the LDAPScertificate. For a well-known Public CA, the client computersmight already trust the issuer chain. If the chain is not trusted, complete thefollowing steps to export the issuer chain:
In Windows, navigate to your certificates in the Microsoft ManagementConsole(MMC).
Expand Local Computer Certificates and navigate toPersonal> Certificates.Double-click the LDAPS certificate.
In the Certificate window, click Certification Path tab.
On the Certification Path tab, select the root certificate in the path.
Click View Certificate.
Click Details tab, and then click Copy to File...
In the Certificate Export Wizard dialog that appears, select Base-64encoded X.509 and click Next.
Select the filename and location for the certificate chain, and clickFinish.
To copy the certificate to the client computer that establishes LDAPSconnection, use the Certificate Import Wizard dialog to import thecertificate in the "Local Machine" store. Alternatively, you can distributethe certificate chain of issuing authorities to the client computers usingGroupPolicyin Windows.
To import a self-signed certificate into the trusted root store of the localmachine, use the Import-Certificate
command.
Enable LDAPS on a Managed Microsoft AD domain
Before you enable LDAPS on your Managed Microsoft AD domain, do the following:
Ensure that you have one of the following IAM roles:
- Google Cloud Managed Identities Admin (
roles/managedidentities.admin
) - Google Cloud Managed Identities Domain Admin(
roles/managedidentities.domainAdmin
)
For more information about Managed Microsoft AD IAM roles,see Access control.
- Google Cloud Managed Identities Admin (
To enable LDAPS on your Managed Microsoft AD domain, complete the followingsteps:
Console
- In the Google Cloud console, go to the Managed Microsoft ADpage.
Go to Managed Microsoft AD - On the Domains page, select a domain from the list of instances toenable LDAPS.
- In the LDAPS section of the Domain details page, clickConfigure LDAPS.
- In the Configure LDAPS pane, enter the location of the PFX file andthe password that you used to export the certificate in PKCS #12format, andthen click Configure LDAPS.
gcloud
Run the following gcloud CLI command:
gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \ --certificate-pfx-file=PFX_FILENAME \ --certificate-password=PASSWORD
Replace the following:
- DOMAIN_NAME: The full resourcename of your Managed Microsoft ADdomain. Full resource name format:
projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME
. - PFX_FILENAME: The PKCS #12-formatted PFX file that specifiesthe certificate chain used to configure LDAPS.
- PASSWORD: The password used to encrypt the PKCS #12certificate. If you don't specify the password, it prompts for thepassword while running the command.
This operation can take up to 20 minutes to complete. To update the certificate,repeat these steps with the updated PFX file.
Verify LDAPS
You can verify that LDAPS is enabled by performing a LDAPS bind. This processuses LDP.exe
, which is one of the RSATtoolsthat you install when you join a VM to domain.
On a domain-joined Google Cloud Windows VM, complete the following steps inPowerShell:
In PowerShell, start
LDP.exe
and navigate toConnection> Connect.In the Connect dialog, complete the following steps:
- In the Server field, enter your domain name.
- In the Port field, enter
636
. - Select the SSL checkbox.
- Click OK.
If LDAPS is properly enabled, the connection succeeds.
Monitor a certificate
You can view the Time to Live (TTL) for a certificate chain inCloud Monitoring. The cert_ttl
metric shows the number of valid daysremaining for the certificate in the chain with the earliest expiration.
Console
To view the metrics for a monitored resource by using theMetrics Explorer, do the following:
In the Google Cloud console, go to the leaderboardMetrics explorer page:
Go to Metrics explorer
If you use the search bar to find this page, then select the result whose subheading isMonitoring.
- In the Metric element, expand the Select a metric menu, enter
LDAPS Certificate TTL
in the filter bar, and then use the submenus to select a specific resource type and metric:- In the Active resources menu, select Microsoft Active Directory Domain.
- In the Active metric categories menu, select Microsoft_ad.
- In the Active metrics menu, select LDAPS Certificate TTL.
- Click Apply.
To remove time series from the display, use the Filter element.
To combine time series, use the menus on the Aggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.
All time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The default settings for the Aggregation element are determined by the metric type you selected.
- For quota and other metrics that report one sample per day, do the following:
- In the Display pane, set the Widget type to Stacked bar chart.
- Set the time period to at least one week.
You can also click Monitoring in the LDAPS section of Domaindetails page to navigate to Metrics Explorer.
You can also use the Query Editor to findthese metrics.
On the Metric tab, select Query Editor.
In the text field of the Query Editor, enter the following MQL queryand select Run Query.
fetch microsoft_ad_domain| metric 'managedidentities.googleapis.com/microsoft_ad/domain/ldaps/cert_ttl'| group_by 1m, [value_cert_ttl_mean: mean(value.cert_ttl)]| every 1m| group_by [resource.fqdn], [value_cert_ttl_mean_aggregate: aggregate(value_cert_ttl_mean)]
Disable LDAPS
To disable LDAPS, complete the following steps:
Console
- In the Google Cloud console, go to the Managed Microsoft ADpage.
Go to Managed Microsoft AD - On the Domains page, select the domain from the list of instancesfor which you want to disable the certificate.
- In the LDAPS section of the Domain details page, clickDisable.
gcloud
Run the following gcloud CLI command:
gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \ --clear-ldaps-certificate
Replace DOMAIN_NAME with the full resourcename of your Managed Microsoft ADdomain. Full resource name format:projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME
.
This operation can take up to 20 minutes to complete. To reenable LDAPS, youmust reupload the certificates.
What's next
- Best practices for automating certificate renewal