I am tasked with enabling an inbound LDAP over SSL connection over port 626 through our firewall from a service provider to one of our Active Directory domain controllers running Server 2008 R2 SP1 Standard in a single domain forest at Server 2008 R2 level.

I don't want to purchase a 3rd party enterprise certificate, just a certificate local to that server which will enable the inbound LDAP over SSL connection from the service provider's cloud server, but which does not cause any problems with user/computer authentication or srv record disruption within our own network as we want the default LDAP connectivity on port 3389 within our internal AD domain to continue to work transparently.

We simply want to facilitate the inbound LDAP over SSL connection without having any impact whatsoever with how that DC operates on our internal network.

Can you provide me with specific step-by-step guidance to accomplish these objectives?

Scott McIntosh

I have made the same by simply creating an internal CA and let the DCs automatically enroll for certificates. Once they got their certificate, they were available through LDAPS. This process does not impact any of your services.

Hi Scott McIntosh,

By default, LDAP clients can connect to the LDAP service over TCP/IP port 389, if you are trying to deploy LDAPS and change connection port please refer the following articles:

Modify the Communication Ports Used by an AD LDS Instance

https://technet.microsoft.com/en-us/library/cc794917(v=ws.10).aspx

Implementing LDAPS (LDAP over SSL)

http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx

LDAP over SSL (LDAPS) Certificate

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

More related third party article:

Changing the LDAP service port and port security configuration

http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/904edbc47a8483d485256c1d00393834?OpenDocument

Im glad to be of help to you!

*** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***

Hi Scott McIntosh,

By default, LDAP clients can connect to the LDAP service over TCP/IP port 389, if you are trying to deploy LDAPS and change connection port please refer the following articles:

Modify the Communication Ports Used by an AD LDS Instance

https://technet.microsoft.com/en-us/library/cc794917(v=ws.10).aspx

Implementing LDAPS (LDAP over SSL)

http://blogs.technet.com/b/pki/archive/2011/06/02/implementing-ldaps-ldap-over-ssl.aspx

LDAP over SSL (LDAPS) Certificate

http://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx

More related third party article:

Changing the LDAP service port and port security configuration

http://www-12.lotus.com/ldd/doc/domino_notes/Rnext/help6_admin.nsf/855dc7fcfd5fec9a85256b870069c0ab/904edbc47a8483d485256c1d00393834?OpenDocument

Im glad to be of help to you!

*** This response contains a reference to a third party World Wide Web site. Microsoft is providing this information as a convenience to you. Microsoft does not control these sites and has not tested any software or information found on these sites; therefore, Microsoft cannot make any representations regarding the quality, safety, or suitability of any software or information found there. There are inherent dangers in the use of any software found on the Internet, and Microsoft cautions you to make sure that you completely understand the risk before retrieving any software from the Internet. ***