Search code examples
amazon-web-servicessslactive-directoryldapkeystore

Active Directory LDAPS between Trusted Domains

I am trying to configure LDAPS between two domain controllers, domainA.com and domainB.com. We have a one way trust configured such that domainB.com has permission to view the user accounts located in domainA.com. DomainA.com has multiple SSL certificates: a root certificate, and intermediate certificate, and multiple certificates for each of their domain controllers.

I am seeking feedback on steps to complete the process because I feel like I am missing something when it comes to uploading certificates. I have detailed the steps I have taken below.

Based on my research the process for enabling our connection between these controllers over LDAPS is:

Note: Steps 3-5 based on linked article below

  1. Open ports between domain controllers (completed)
  2. Establish one way trust (completed)
  3. Export certificates from domainA.com domain controller (completed)
  4. Load .cer files onto domainB.com and add them to java keystore (completed)
  5. Establish 636 connection using ldp.exe tool (failed)

I am new to Active Directory and I am unfamiliar with how to enable LDAPS. In the LDAPS section of this article I performed the following steps to configure LDAPS on domainB.com:

  1. Installed Active Directory Certificate Services and Certificate Authority
  2. Added the .cer files from domainA.com to the Java keystore of the domainB.com server
  3. Tested connectivity using ldp.exe tool (389 (LDAP) connection was successful, 636 (LDAPS) connection failed)

Additional Validation check with the PortQryUI tool showed that all ports were opened between the domain controllers.

Environment: AWS and On Prem

Domain Controllers

domainA.com - on premise AD domain controller (controlled by someone else)

domainB.com - AWS AD domain controller (controlled by me)

Solution

  • The certificate has to be trusted by the computer that you are testing on (Start menu -> Manage computer certificates -> Trusted Root Certification Authorities). If I remember correctly, there will likely be an error in the Event Viewer (the System log) each time ldp.exe tries to connect and fails due to a certificate error.

    If you want to test if the cert is trusted, you can use the PowerShell from this answer to download the cert. Just use https://domainA.com:636 as the "website".

    $webRequest = [Net.WebRequest]::Create("https://domainA.com:636")
try { $webRequest.GetResponse() } catch {}
$cert = $webRequest.ServicePoint.Certificate
$bytes = $cert.Export([Security.Cryptography.X509Certificates.X509ContentType]::Cert)
set-content -value $bytes -encoding byte -path "domainA.com.cer"

    Then double-click on domainA.com.cer (in whichever folder you happen to run this code from) to view it. It will show you a big warning if it is not trusted. Your goal is to be able to view that and have it say that it's trusted.