Enable SSL for LDAP on your Windows 2003 Active Directory Service

Windows 2003 ADS is as you probably already know is based upon LDAP. Often you will need to query this ldap directory for authentication and other purposes. By default these queries are carried out unencrypted and can be snooped by eavesdroppers. To remedy this you can enable ldap over SSL to allow LDAP queries to be done over encrypted channel. This guide tells you how to do this. For the purposes of the guide we only have one domain controller called “mypdc” which runs the ADS called “mytest.domain.com”. Of course this will change according to your own setup.

Warning! As always when altering ADS, be very careful. Try it on a test domain before rolling this out to a production domain


Intended Audience

Windows Active Directory administrators who wish to enable SSL for LDAP.


Step 1. Install IIS on your Windows Domain controller

If you have not already done you need to install IIS webserver as this is required component. In this guide we are going to install IIS 6 as this is shipped with Windows 2003 server.

  1. Click on Start -> Control Panel -> Add Remove Programs
  2. Choose Add / Remove Windows Components -> Check Application Server checkbox. Let the installation run.

Step 2. Install Certificate Authority Service on your Domain Controller

  1. Click on Start -> Control Panel -> Add Remove Programs
  2. Choose Add / Remove Windows Components -> Highlight Certificate Services
  3.  Click Detailscert1
  4. ¬†Choose Certificate Services CA. Please say “yes” to the Warning “After installing Certificate Services, the machine name and domain..”
  5. You will be walked through an initial certificate Setup. In our scenario we are being the Enterprise root CA. Choose Enterprise root CA. Click nextcert3
  6. Enter a common name. I am going to enter “myroot”.cert4
  7. Choose where you want your certificate database information to be kept. I am leaving it as default. Click next. Say “Yes” to any questions about stopping IIS. cert5
  8. The installation will proceed. It may ask you whether you wish to enable ASP pages for web enrollment. I say no as I am not using this feature for my purposes. Click Finish

Testing using LDP

Using a hand little utility for connecting to ADS over ldap called ldp.exe. This is accessible by installing the support tool found on the Windows 2003 disk. Enter the FQDN of the domain controller – using the ip might have certificate errors in the event log and prevent connection. Alter the port to 636 and check the SSL box.


If all is well you will be connected and see a screen similar to this:


Comments are closed.