In order to allow Nervepoint Access Manager to manage password reset and account unlock actions in your Active Directory network you are required to set-up an SSL connection for your Domain Controller. This SSL connection is a requirement set by the Active Directory in order to allow third party applications the ability to perform these functions. Today we'll share the process that we use when configuring this on a Windows Server 2008 system in our own testing environment.
Step 1: Install the Certificate Services Roles
To begin, the Windows server should already have Active Directory Domain Services installed. If it does not then you will need to install this before we continue.
Once domain Services has been installed and configured (if it was required ) open the Add Roles wizard and select the Active Directory Certificate Services role and begin the installation process of this role on the Domain Controller.
The following instructions setting for the wizard are are intended for a single domain controller environment, and are used in our own testing systems. Your own configuration requirements may vary.
When the wizard prompts you to select the modules for the Certificate Services select the Certificate Authority option and Next.
You'll next be prompted to select the type of Certificate Authority you wish to create. In order to create a certificate for Active Directory you must select the Enterprise CA.
Next you'll need to set if the CA is the root or a subordinate, in this environment you want to select the Root CA option.
Next you will need to specify if the CA will use a new or existing private key. We will be selecting Create a New Private Key, however if you already have a key you wish to use you can select Use Existing option and upload the key to the domain controller.
The next parts of the wizard will configure the certificate authority, in most cases you can leave these as the default values unless you specifically wish to change the CA details, validity period, or database location. Continue until the wizard completes.
Eventually you'll be presented with an overview of the Certificate Services details. Confirming here will now install the Certificate Services role.
Step 2: Configuring Certificates for the Domain
After Certificate Services has completed installation open the Start menu and run the 'MMC' application.
In MMC open the File menu and select the Add/Remove Snap In option. A new window will open listing all available snap-ins. In the left tab select the Certificates snap-in select Add >.
The Certificate snap-in window will open, on the first page select the Computer Account option and continue to the next page.
On the second page select the Local Computer option and select Finish to complete the details.
The Certificates snap-in will now be added to the console, select OK to complete setup and return to the console.
The console will now list a Certificates section with a number of folders, expand the Personal > Certificates folders. With the last Certificates folder selected you should see one certificate listed in the central section for the CA that was created. There may also be a certificate for the server itself.
With the Certificates folder still selected right click the folder and select All Tasks > Request New Certificate. The Certificate Enrollment wizard will begin.
When prompted to choose the type of certificate enrollment policy select the Active Directory Enrolment Policy option.
Next you'll need to request certificates, select both the Domain Controller and Domain Controller Authority options and select Enroll and then Finish to complete the wizard.
Two additional certificates will now be listed in the Personal > Certificates section.
Step 3: Testing the SSL Connection
To test the SSL connection to Active Directory open the Start menu and run the LDP application.
Open the Connection menu and select the Connection option, in the Connect window set the connection details as follows and then select OK:
- Hostname: localhost
- Port: 636
- SSL option enabled
If the SSL connection is working correctly you should see output similar to the following.
Active Directory will now be able to receive connections over SSL and permission to reset passwords and unlock accounts will be granted to third party applications.