Active DirectoryAzure servicesMicrosoft Technologies

Step-by-Step guide to enable Secure LDAP (Lightweight Directory Access Protocol) on Azure AD managed domain

In active directory environment, LDAP (Lightweight Directory Access Protocol) is responsible for read and write data from AD. By default LDAP traffic transmitted un-secure. You can make this secured transmit based on SSL. In security prospective even in more “local” network it’s important to make secure even though most of engineers not using it. But when you have hybrid or cloud only setup this is more important. Idea of this post is to demonstrate how to enable secure LDAP on Azure AD managed domain.

There is few prerequisite required to perform this task.

1)    Azure AD Domain Service – Azure AD domain service must be enabled and configured with all prerequisite. If you need any help over please refer to my last few posts which explain how to configure.
2)    SSL Certificate – It is need to have valid SSL certificate and it need to be from valid certificate authority such as public certificate authority, enterprise certificate authority. Also you can still use self-sign SSL certificate.

In my demo,
1)    I have already configured a Azure AD managed domain and running with active subscription

sldap1

2)    I got an Azure VM connected to Azure managed domain and I will be using it to demonstrate to enable Secure LDAP.
3)    I am going to use self-signed certificate to create the secure LDAP

Create self-signed certificate

1)    Log in to domain joined server, or PC and open windows power-shell session as administrator.
2)    Execute following

$validtill=Get-Date
New-SelfSignedCertificate -Subject *.rebeladmin.onmicrosoft.com -NotAfter $validtill.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -DnsName *.rebeladmin.onmicrosoft.com

In here you can replace rebeladmin.onmicrosoft.com with your managed domain name.

This will generate the self-sign certificate.

sldap2

Export the SSL Certificate

Now we have the certificate, but we need to export it to use to enable secure LDAP.
1)    Log in to the PC or Server which generated certificate as administrator
2)    Go to run > mmc

sldap3

3)    File > Add/remove Snap-in

sldap4

4)    Select Certificates and click on button Add

sldap5

5)    Then select the Computer Account and click next

sldap6

6)    Select local computer and click on finish

sldap7

7)    Click on OK to open the certificate mmc

sldap8

8)    Then in console go to Personal > Certificates and you can see the new self-signed certificate we just created in previous step

sldap9

9)    Right click on the certificate and click on All tasks > export

sldap10

10)    Then its start the certificate export wizard, click on next to start

sldap11

11)    In this window select option “Yes, export the private key” and click on next
12)    Leave the .pfx option selected and click next

sldap12

13)    In next window define a password and click on next

sldap13

14)    Then define the location to save the file and click on next

sldap14

15)    Click on finish to complete the export process

sldap15

Enable Secure LDAP

Now we got the SSL exported and ready. Now it’s time to enable the secure LDAP.
1)    Log in to the azure portal and load the Azure Domain Services configuration page for your relevant directory

sldap16

2)    Then to the domain service section and click on “configure certificate” button

sldap17

3)    Then brows for the .pfx file we just exported and provide the password, then click ok to proceed

sldap18

4)    After few minutes we can see the secure LDAP is enabled

sldap19

5)    The next step is to enable the secure LDAP connection over the internet for your managed domain. For that click on the “Yes” for the option “Enable secure LDAP access over the internet” and the click save

sldap20

sldap21

6)    After few minute we can see the feature is enabled and also displaying the public ip address which can use on this.

sldap22

7)    If you wish to use secure ldap over the internet you need to create DNS entry in your dns provider and create A record to point domain to the public ip address its given.

Hope this was helpful post and if you have any question on this feel free to contact me on rebeladm@live.com

Related posts
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide : Process Entra ID Entitlement Management Access Package on-behalf of another user (preview)

Entra ID Entitlement Management access packages enable administrators to offer a self-service…
Read more
Azure servicesMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: Configure Entra ID lifecycle workflow to trigger mover task on user profile changes

The Entra ID lifecycle workflow is a feature of Microsoft Entra ID identity governance and Microsoft…
Read more
Cyber SecurityMicrosoft Entra IDMicrosoft Technologies

Step-by-Step Guide: How to setup Entra ID Restricted management Administrative Units ?

In my previous blog post, I discussed what Entra ID Administrative Units are and how they can be…
Read more
Newsletter
Become a Trendsetter

Sign up and get the best of RebelAdmin, tailored for you.

Leave a Reply

Your email address will not be published. Required fields are marked *