LDAP over SSL for Domain Controller

LDAPS over SSL (LDAPS) for Domain Controller

Each of Domain Controller have Lightweight Directory Access Protocol – LDAP (port 389) open for authentication for 3rd party application/system such as firewall/VPN appliance. The LDAP protocol is insecure because the data is sent in the clear text format. Therefore, we need LDAPS (LDAP over SSL) to encrypt and secure the communication. The default port for LDAPS is 636.

If your Active Directory is installed with Enterprise CA then most likely you will have digital certificate and LDAPS activated for all the domain controller by itself. Below are the steps to request the digital certificate for the domain controller server from Microsoft Stand-alone CA and the LDAPS will be activated automatically.

1. Make sure you have at least one Microsoft Stand-alone CA installed in your organization

2. From the domain controller server that you need the LDAPS, create certificate.inf file as shown in the example below in order to generate the certificate request file

;—————– certificate.inf —————–[Version]Signature=”$Windows NT$[NewRequest]

Subject = “CN=servername.domain.local” ; replace with the FQDN of the Domain Controller
KeySpec = 1
KeyLength = 1024
; Can be 1024, 2048, 4096, 8192, or 16384.
; Larger key sizes are more secure, but have
; a greater impact on performance.
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0


OID= ; this is for Server Authentication


3. Create the certificate request file by the following command

certreq -new certificate.inf certificate.req

4. Submit the certificate request file to the Stand-alone CA

certreq -submit certificate.req

The system will prompt you with the option to choose with stand-alone CA you want to submit. Take not on the certificate request id

5. In the Stand-alone Certificate Authority (CA), under “Pending Requests“, right-click on the request ID, select All Tasks – Issue. The certificate will goes into “Issued Certificates” folder.

Pending Requests

6. Retrieve the certificate from the domain controller that requesting the certificate

certreq -retrieve <request id> certificate.cer


7. Import the certificate into the Personal store of the Computer Account

Certificate - personal store 1 Certificate - personal store 2 Certificate - personal store 3 Certificate - personal store 4 Certificate - personal store 5

8. Test the LDAPS using ldp

LDAP over SSL connection

LDAP over SSL result

9. You can now proceed with LDAP over SSL integration with 3rd party system/application

10. For Windows 2008 Server, you night need to import the certificate into Active Directory Domain Services certificate store

Active Directory Domain Services

Resources and References:

To renew the SSL certificate created by this post, please go to Renew SSL certificate for Domain Controller LDAPS

Lightweight Directory Access Protocol


Run Application as Windows 2008 Service

Run Application as Windows 2008 Service

Windows 2008 do not provide toolkit similar like SrvAny and InstSrv that allow you to wrap the application and run as Windows Services.


  1. Download Windows 2003 Resource Kit from Microsoft
  2. Install the the Windows 2003 Resource Kit into any workstation or even Windows 2008 server. We only need the SrvAny.exe file from the resource kit
  3. Copy SrvAny.exe in C:\Windows\System32 of Windows 2008 Server
  4. Use “sc ” to create a new service that launches “srvany ” (e.g. sc create MyCustomService binPath= C:\Windows\System32\srvany.exe DisplayName= “My Custom Service” )
  5. Using RegEdit : create a “Parameters ” key for your service (e.g. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\MyCustomService\Paramaters\ )
  6. Using RegEdit : within the newly created “Parameters ” key , create a string value called “Application ” and enter the full path to the application you are wanting to run as a service. (No quotes required.)


Below is the steps to make Inadyn (Simple Dynamic DNS client) to run as service

1. Download inadyn (for OpenDNS, please download from

2. Extract inadyn into c:\inadyn and do the necessary configuration by editing inadyn.conf

3. Copy SrvAny.exe from fron Windows 2003 Resource Kit into C:\Windows\System32

4. Create the service by the following command in command prompt

sc create inadyn binPath= c:\Windows\System32\srvany.exe DisplayName= inadync start= delayed-auto

5. Adjust the registy key. Below is the sample registry file. Just save the following content into anyfile.reg and then double-click to file to import it into registry.

; Edit the next line to show the full path to the inadyn.exe executable file. Note that any backslashes “\” in the path must be _doubled_ “\\”
; Edit the next line to replace “username” and “password” with your OpenDNS user name and password. The “–alias” string is arbitrary, and is really only relevant to more complex setups
“AppParameters”=”–input_file C:\\inadyn\\inadyn.conf”

6. Completed. You should be able to see th inadyn in the Windows Services.