Enable LDAPS  |  Managed Microsoft AD Documentation  |  Google Cloud (2024)

Table of Contents
Request a certificate Certificate requirements Request from a Public CA or Enterprise CA Export the certificate in PKCS #12 format Distribute the issuer chain to client computers Enable LDAPS on a Managed Microsoft AD domain Console gcloud Verify LDAPS Monitor a certificate Console Disable LDAPS Console gcloud What's next

This page shows you how to enable LDAP over SSL/TLS (LDAPS) for Managed Service for Microsoft Active Directory(Managed Microsoft AD) to make your LDAP traffic confidential and secure. Bydefault, the communication between Managed Microsoft AD and clientapplications is not encrypted for simple LDAP binds.

To enable LDAPS, you must have a certificate. This page also describes thespecifications for the required certificate and how to verify and monitor it.

Request a certificate

You can request a certificate from a Public Certificate Authority (CA), Enterprise CA,Google Cloud Certificate Authority Service or use aself-signed certificate. If you use a self-signed certificate, follow theMicrosoft documentation linked to the PowerShell commands in the followingsections.

You can create a self-signed certificate with the New-SelfSignedCertificatecommand on Windows, OpenSSL, or MakeCert.

Certificate requirements

Your certificate must meet the following requirements:

  • The following table outlines the requirements for creating a self-signedcertificate and lists the associated parameters used in theNew-SelfSignedCertificatecommand.Note that the parameter or field names can vary based on how you create thecertificate.
Parameter Description
Subject (subject name) It must be the wildcard-prefixed name of your Managed Microsoft AD domain to ensure that the service remains available during an upgrade or restore process. This is because domain controllers use random names that change during an upgrade or restore process. For example, if the domain name is ad.mycompany.com, the subject name must be CN=*.ad.mycompany.com
DnsName (DNS name or subject alternative name) It must include only the following:
  • Wildcard name of your Managed Microsoft AD domain
  • Managed Microsoft AD domain name
    • For example, "CN=*.ad.mycompany.com","CN=.ad.mycompany.com"
    KeySpec It must be set to 1 which denotes that it can be used for both digital signature and key exchange.
    KeyLength The minimum key size depends on the cryptographic algorithm.
  • RSA: At least 2048 bits
  • ECDSA: At least 256 bits
  • ED25519: 512 bits (Fixed length)
    		•
    KeyUsage It must include "digital signatures" and "key encipherment".
    TextExtension or EnhancedKeyUsageExtension It must have OID=1.3.6.1.5.5.7.3.1 for server authentication.
    NotBefore The time from which the certificate is valid. The certificate must be valid when enabling LDAPS.
    NotAfter The time after which the certificate is not valid. The certificate must be valid when enabling LDAPS.
    KeyAlgorithm (signature algorithm) Weak signature algorithms like SHA-1, MD2, MD5 are not supported.

    • Issuing chain: The entire certificate chain must be uploaded and must bevalid. The chain must be linear and cannot have multiple chains.

    • Certificate format: The format must meet Public-Key CryptographyStandards (PKCS) #12. You must use a PFX file.

    Request from a Public CA or Enterprise CA

    To request a certificate from a Public CA or Enterprise CA,follow thesesteps.

    Accept the certificate on the same VM where the request is generated.

    Export the certificate in PKCS #12 format

    To export the certificate in PKCS #12 format (as a PFX file), complete thefollowing steps:

    1. In Windows, navigate to your certificates in the Microsoft ManagementConsole(MMC).

    2. Expand Local Computer Certificates, and navigate toPersonal> Certificates.

    3. Right-click the certificate you created to enable LDAPS, and selectAll Tasks> Export.

    4. In the Certificate Export Wizard dialog that appears, click Next.

    5. On the Export Private Key page, select Yes to export the privatekey.

      See Also
      LDAP vs. LDAPS: What’s the Difference? – RublonLDAP vs. LDAPS: Securing Auth to Legacy AppsHow to Enable SSL in Windows ServerHow to enable LDAP signing - Windows Server

    6. On the Export File Format page, select Personal Information Exchange -PKCS #12 (.PFX) and Include all certificates in the certification pathif possible checkbox. Click Next.

    7. On the Security page, select Password checkbox and enter a strongpassword to protect the certificate. Click Next. This password isrequired when configuring LDAPS on your Managed Microsoft AD domain.

    8. On the File to Export page, enter the destination name and path for thePFX file to export. Click Next.

    9. Click Finish.

    To export a self-signed certificate with the private key in PKCS #12 format as aPFX file, use the Export-PfxCertificatecommandand to export the self-signed certificate as a PEM file, use theExport-Certificatecommand.

    Distribute the issuer chain to client computers

    For LDAPS to function, all client computers must trust the issuer of the LDAPScertificate. For a well-known Public CA, the client computersmight already trust the issuer chain. If the chain is not trusted, complete thefollowing steps to export the issuer chain:

    1. In Windows, navigate to your certificates in the Microsoft ManagementConsole(MMC).

    2. Expand Local Computer Certificates and navigate toPersonal> Certificates.Double-click the LDAPS certificate.

    3. In the Certificate window, click Certification Path tab.

    4. On the Certification Path tab, select the root certificate in the path.

    5. Click View Certificate.

    6. Click Details tab, and then click Copy to File...

    7. In the Certificate Export Wizard dialog that appears, select Base-64encoded X.509 and click Next.

    8. Select the filename and location for the certificate chain, and clickFinish.

    9. To copy the certificate to the client computer that establishes LDAPSconnection, use the Certificate Import Wizard dialog to import thecertificate in the "Local Machine" store. Alternatively, you can distributethe certificate chain of issuing authorities to the client computers usingGroupPolicyin Windows.

      See Also
      miniOrange Identity and Access Management

    To import a self-signed certificate into the trusted root store of the localmachine, use the Import-Certificatecommand.

    Enable LDAPS on a Managed Microsoft AD domain

    Before you enable LDAPS on your Managed Microsoft AD domain, do the following:

    1. Ensure that you have one of the following IAM roles:

      • Google Cloud Managed Identities Admin (roles/managedidentities.admin)
      • Google Cloud Managed Identities Domain Admin(roles/managedidentities.domainAdmin)

      For more information about Managed Microsoft AD IAM roles,see Access control.

    To enable LDAPS on your Managed Microsoft AD domain, complete the followingsteps:

    Console

    1. In the Google Cloud console, go to the Managed Microsoft ADpage.
      Go to Managed Microsoft AD
    2. On the Domains page, select a domain from the list of instances toenable LDAPS.
    3. In the LDAPS section of the Domain details page, clickConfigure LDAPS.
    4. In the Configure LDAPS pane, enter the location of the PFX file andthe password that you used to export the certificate in PKCS #12format, andthen click Configure LDAPS.

    gcloud

    Run the following gcloud CLI command:

    gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \ --certificate-pfx-file=PFX_FILENAME \ --certificate-password=PASSWORD

    Replace the following:

    • DOMAIN_NAME: The full resourcename of your Managed Microsoft ADdomain. Full resource name format:projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME.
    • PFX_FILENAME: The PKCS #12-formatted PFX file that specifiesthe certificate chain used to configure LDAPS.
    • PASSWORD: The password used to encrypt the PKCS #12certificate. If you don't specify the password, it prompts for thepassword while running the command.

    This operation can take up to 20 minutes to complete. To update the certificate,repeat these steps with the updated PFX file.

    Verify LDAPS

    You can verify that LDAPS is enabled by performing a LDAPS bind. This processuses LDP.exe, which is one of the RSATtoolsthat you install when you join a VM to domain.

    On a domain-joined Google Cloud Windows VM, complete the following steps inPowerShell:

    1. In PowerShell, start LDP.exe and navigate toConnection> Connect.

    2. In the Connect dialog, complete the following steps:

      1. In the Server field, enter your domain name.
      2. In the Port field, enter 636.
      3. Select the SSL checkbox.
      4. Click OK.

      If LDAPS is properly enabled, the connection succeeds.

    Monitor a certificate

    You can view the Time to Live (TTL) for a certificate chain inCloud Monitoring. The cert_ttl metric shows the number of valid daysremaining for the certificate in the chain with the earliest expiration.

    Console

    To view the metrics for a monitored resource by using theMetrics Explorer, do the following:

    1. In the Google Cloud console, go to the leaderboardMetrics explorer page:

      Go to Metrics explorer

      If you use the search bar to find this page, then select the result whose subheading isMonitoring.

    2. In the Metric element, expand the Select a metric menu, enter LDAPS Certificate TTL in the filter bar, and then use the submenus to select a specific resource type and metric:
      1. In the Active resources menu, select Microsoft Active Directory Domain.
      2. In the Active metric categories menu, select Microsoft_ad.
      3. In the Active metrics menu, select LDAPS Certificate TTL.
      4. Click Apply.

    3. To remove time series from the display, use the Filter element.

    4. To combine time series, use the menus on the Aggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.

      All time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The default settings for the Aggregation element are determined by the metric type you selected.

    5. For quota and other metrics that report one sample per day, do the following:
      1. In the Display pane, set the Widget type to Stacked bar chart.
      2. Set the time period to at least one week.

    You can also click Monitoring in the LDAPS section of Domaindetails page to navigate to Metrics Explorer.

    You can also use the Query Editor to findthese metrics.

    1. On the Metric tab, select Query Editor.

    2. In the text field of the Query Editor, enter the following MQL queryand select Run Query.

    fetch microsoft_ad_domain| metric 'managedidentities.googleapis.com/microsoft_ad/domain/ldaps/cert_ttl'| group_by 1m, [value_cert_ttl_mean: mean(value.cert_ttl)]| every 1m| group_by [resource.fqdn], [value_cert_ttl_mean_aggregate: aggregate(value_cert_ttl_mean)]

    Disable LDAPS

    To disable LDAPS, complete the following steps:

    Console

    1. In the Google Cloud console, go to the Managed Microsoft ADpage.
      Go to Managed Microsoft AD
    2. On the Domains page, select the domain from the list of instancesfor which you want to disable the certificate.
    3. In the LDAPS section of the Domain details page, clickDisable.

    gcloud

    Run the following gcloud CLI command:

    gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \ --clear-ldaps-certificate

    Replace DOMAIN_NAME with the full resourcename of your Managed Microsoft ADdomain. Full resource name format:projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME.

    This operation can take up to 20 minutes to complete. To reenable LDAPS, youmust reupload the certificates.

    What's next

    • Best practices for automating certificate renewal
    Enable LDAPS  |  Managed Microsoft AD Documentation  |  Google Cloud (2024)
    Top Articles
    Financing Programs for Fertility Treatment RESOLVE: The National Infertility Association
    New York Times (NYT) Market Cap & Net Worth - Stock Analysis
    Foxy Roxxie Coomer
    Inducement Small Bribe
    Online Reading Resources for Students & Teachers | Raz-Kids
    Doublelist Paducah Ky
    Konkurrenz für Kioske: 7-Eleven will Minisupermärkte in Deutschland etablieren
    Lost Ark Thar Rapport Unlock
    Mndot Road Closures
    Whitley County Ky Mugshots Busted
    Mens Standard 7 Inch Printed Chappy Swim Trunks, Sardines Peachy
    Insidekp.kp.org Hrconnect
    Hood County Buy Sell And Trade
    The ULTIMATE 2023 Sedona Vortex Guide
    Maplestar Kemono
    7 Fly Traps For Effective Pest Control
    Q33 Bus Schedule Pdf
    Xomissmandi
    How To Cancel Goodnotes Subscription
    1989 Chevy Caprice For Sale Craigslist
    Juicy Deal D-Art
    Noaa Duluth Mn
    Pecos Valley Sunland Park Menu
    Amazing Lash Studio Casa Linda
    Www.patientnotebook/Atic
    R&S Auto Lockridge Iowa
    Hood County Buy Sell And Trade
    The Listings Project New York
    Powerschool Mcvsd
    Bolsa Feels Bad For Sancho's Loss.
    Sound Of Freedom Showtimes Near Movie Tavern Brookfield Square
    Cowboy Pozisyon
    Downtown Dispensary Promo Code
    5 Star Rated Nail Salons Near Me
    Motor Mounts
    Craigslist Free Stuff San Gabriel Valley
    Www Craigslist Com Brooklyn
    Housing Intranet Unt
    Topos De Bolos Engraçados
    Sabrina Scharf Net Worth
    2023 Fantasy Football Draft Guide: Rankings, cheat sheets and analysis
    O'reilly's Palmyra Missouri
    Anderson Tribute Center Hood River
    Lyndie Irons And Pat Tenore
    Dr Mayy Deadrick Paradise Valley
    Crigslist Tucson
    Displacer Cub – 5th Edition SRD
    Anonib New
    Identogo Manahawkin
    Craigslist Anc Ak
    15:30 Est
    Ics 400 Test Answers 2022
    Latest Posts
    Get started with Screen Time on iPhone
    Top Benefits of Studying in Canada for Indian Students
    Article information

    Author: Edwin Metz

    Last Updated:

    Views: 6200

    Rating: 4.8 / 5 (78 voted)

    Reviews: 85% of readers found this page helpful

    Author information

    Name: Edwin Metz

    Birthday: 1997-04-16

    Address: 51593 Leanne Light, Kuphalmouth, DE 50012-5183

    Phone: +639107620957

    Job: Corporate Banking Technician

    Hobby: Reading, scrapbook, role-playing games, Fishing, Fishing, Scuba diving, Beekeeping

    Introduction: My name is Edwin Metz, I am a fair, energetic, helpful, brave, outstanding, nice, helpful person who loves writing and wants to share my knowledge and understanding with you.