How do I setup LDAP SSL and Certificates in ADAM?

http://www.dirwiz.com/kb/345
2010-11-16

The following Microsoft FAQ page includes instructions for a configuring Certification Authority (CA) and SSL on ADAM.
Search the page for the text ’SSL’ to find the Q/A section on this topic.

http://www.microsoft.com/windowsserver2003/adam/ADAMfaq.mspx

Below we have elaborated on the instructions found in this FAQ to outline the process to install the certificate, set
permissions for the Service Account and test using LDP.

Question: How do I install certificates for use with ADAM and SSL?

Answer: To enable SSL-based encrypted connections to ADAM, you must have a certification authority (CA) in place to
issue and manage certificates. You can set up a CA on a computer running Microsoft Windows® 2000 Server or Windows
Server 2003. For more information about installing and using a CA, see the Certificate Services topic in the Windows Server
2003 Help.

The general steps for setting up SSL for ADAM are as follows:

• Install a certificate from a trusted CA onto the computer running ADAM. The certificate must be marked for server
authentication. If you want to use the certificate for applications other than ADAM, you must store this certificate in the
local computer certificate store. Otherwise, you can store the certificate in the ADAM service store. When you request the
certificate, specify the fully qualified domain name (FDQN) of the computer on which ADAM is running as the identifying
name for the certificate.

Note: If Internet Information Services (IIS) is running on the same computer as ADAM, you can verify that the certificate is
properly installed by attempting an SSL connection to IIS first, before attempting an SSL connection to ADAM.

The certificate:

• The certificate must be a self signed certificate for the ADAM server. (This is the same as an https certificate.)

To install the certificate.

1. Copy the certificate file to the ADAM server.

2. Execute Start > Run > MMC (The Microsoft Management Console)
3. In the Console window, Click File - ADD/Remove Snap-In
4. In the Add/Remove Snap-in Window, click ADD.
5. In the Add Standalone Snap-ins window, select "Certificates", click ADD.
6. In the Certificate Snap-in window, select "Service Account", click Next.
7. In the Select Computer window, leave the default of "Local Computer", click Next.
8. In the Certificate Snap-In window, select the ADAM instance (Service) to
associate this key to, click Finish.
9. In the Add Standalone Snap-In window, click Close.
10. In the Add/Remove Snap-in window, click OK.

1/3
 11. In the Console window, Right-Click the ’Personal’ instance, select All Tasks, select Import.
12. In the Import Wizard, click Next.
13. In the Certificate Import Wizard window, Click Browse and select the SSL certificate you copied to this ADAM
server, click Next.
14. In the Certificate Import Wizard window, leave the default ’Personal’ Store, click Next.
15. In the final window, click Finish.
16. In the Import successful window, click OK.
17. In the Console window, expand the ’Personal’ folder and click Certificates. You should see the newly imported
certificate.

• Before you attempt to use the certificate with ADAM, you must ensure that the service account under which
ADAM is running has Read access to the certificate that you installed.

Note: To determine the appropriate certificate on which to set permissions for the ADAM service account, run certutil -store
my from a command prompt. The Key Container value that is shown for each certificate matches the file name of the
certificate as it appears in the C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
directory.

To apply permissions to the \MachineKeys directory:

1. Go to My Computer:
2. C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys
3. Right click "Machine Keys" folder and click Properties.
4. Click the Securities tab.
5. Click Add.
6. Enter the object name to select: NETWORK SERVICE (verify with Check Names)
7. Click OK.
8. Verify READ access is enabled.
9. Click Advanced.
10. Enable ’Replace permission entries on all child objects with entries shown here that apply to child objects’.
11. Security Warning ’do you wish to continue’, Click Yes.
12. Click OK to close the Properties window.
13. You can verify Read permissions by selecting a key, Right click and Properties.
14. ** Restart the ADAM service. *

• To test the certificate with ADAM, run Ldp.exe on the computer running ADAM and connect to the local ADAM
instance using SSL. For information about LDP, see the ADAM Administrator’s Guide. To open the ADAM Administrato’s
Guide, click Start, point to Programs, point to ADAM, and then click ADAM Help.

Note: When you use LDP to make an SSL connection to ADAM, you must specify the FQDN of the computer running
ADAM. FQDNs are required, according to the SSL standard.

To test the certificate using LDP:

1. Execute Start > Run > LDP

2. Click Connection > Connect
3. Set
Server: Localhost
port: enter the ldap ssl port
check the SSL box.
4. Click OK to run the test.

2/3
• To connect to ADAM from a client over SSL, the client must trust the certificate on the computer running ADAM. This
trust can be achieved by adding a certificate from the CA to the Trusted Root Certification Authorities store on the client.

• Use LDP from a client to make an SSL connection to the ADAM instance.

Notes:
• When you use LDP to make an SSL connection to ADAM, you must specify the fully qualified domain name (FQDN) of
the computer running ADAM. FQDNs are required, according to the SSL standard.

• On client computers running Windows XP Professional that need to establish SSL connections to an ADAM instance,
you must install the hotfix that is described in article 817583, Active Directory Services Does Not Request Secure
Authorization Over an SSL Connection, in the Microsoft Knowledge Base.

3/3