Using LDAPS

This page shows you how to enable LDAP over SSL/TLS (LDAPS) for Managed Service for Microsoft Active Directory (Managed Microsoft AD) to make your LDAP traffic confidential and secure. By default, the communication between Managed Microsoft AD and client applications is not encrypted for simple LDAP binds.

To enable LDAPS, you must have a certificate. This page also describes the specifications for the required certificate and how to verify and monitor it.

Request a certificate

You can request a certificate from a Public Certificate Authority (CA), Enterprise CA, Google Cloud Certificate Authority Service or use a self-signed certificate. You can create a self-signed certificate with the New-SelfSignedCertificate command on Windows, OpenSSL, or MakeCert.

Certificate requirements

Your certificate must meet the following requirements:

  • Subject Name: It must be the wildcard-prefixed name of your Managed Microsoft AD domain to ensure that the service remains available during an upgrade/restore. This is because domain controllers use random names that change during an upgrade/restore. For example, if the domain name is ad.mycompany.com, the subject name must be CN=*.ad.mycompany.com

  • Subject Alternative Name (DNS name or SAN): It must include only the following:

    • Wildcard name of your Managed Microsoft AD domain
    • Managed Microsoft AD domain name.

    For example, "CN=*.ad.mycompany.com","CN=.ad.mycompany.com"

  • KeySpec: It must be set to "1" which denotes that it can be used for both digital signature and key exchange.

  • KeyLength: The minimum key size depends on the cryptographic algorithm.

    • RSA: At least 2048 bits
    • ECDSA: At least 256 bits
    • ED25519: 512 bits (Fixed length)
  • KeyUsage: It must include "digital signatures" and "key encipherment".

  • EnhancedKeyUsageExtension: It must have OID=1.3.6.1.5.5.7.3.1 for server authentication.

  • NotBefore: The time from which the certificate is valid. The certificate must be valid when enabling LDAPS.

  • NotAfter: The time after which the certificate is not valid. The certificate must be valid when enabling LDAPS.

  • Issuing Chain: The entire certificate chain must be uploaded and must be valid. The chain must be linear and cannot have multiple chains.

  • Signature Algorithm: Weak signature algorithms like SHA-1, MD2, MD5 are not supported.

  • Certificate Format: The format must meet Public-Key Cryptography Standards (PKCS) #12. You must use a PFX file.

Request from a Public CA or Enterprise CA

To request a certificate from a Public CA or Enterprise CA, follow these steps.

Accept the certificate on the same VM where the request is generated.

Export the certificate in PKCS #12 format

To export the certificate in PKCS #12 format (as a PFX file), complete the following steps:

  1. In Windows, navigate to your certificates in the Microsoft Management Console (MMC).

  2. Expand Local Computer Certificates, and navigate to Personal > Certificates.

  3. Right-click the certificate you created to enable LDAPS, and select All Tasks > Export.

  4. In the Certificate Export Wizard dialog that appears, click Next.

  5. On the Export Private Key page, select Yes to export the private key.

  6. On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible checkbox. Click Next.

  7. On the Security page, select Password checkbox and enter a strong password to protect the certificate. Click Next. This password is required when configuring LDAPS on your Managed Microsoft AD domain.

  8. On the File to Export page, enter the destination name and path for the PFX file to export. Click Next.

  9. Click Finish.

Export the issuer chain to client computers

For LDAPS to function, all client computers must trust the issuer of the LDAPS certificate. For a well-known Public CA, the client computers might already trust the issuer chain. If the chain is not trusted, complete the following steps to export the issuer chain:

  1. In Windows, navigate to your certificates in the Microsoft Management Console (MMC).

  2. Expand Local Computer Certificates and navigate to Personal > Certificates. Double-click the LDAPS certificate.

  3. In the Certificate window, click Certification Path tab.

  4. On the Certification Path tab, select the root certificate in the path.

  5. Click View Certificate.

  6. Click Details tab, and then click Copy to File...

  7. In the Certificate Export Wizard dialog that appears, select Base-64 encoded X.509 and click Next.

  8. Select the file name and location for the certificate chain, and click Finish.

  9. To copy the certificate to the client computer that establishes LDAPS connection, use the Certificate Import Wizard dialog to import the certificate in the "Local Machine" store. Alternatively, you can distribute the certificate chain of issuing authorities to the client computers using Group Policy in Windows.

Enable LDAPS on a Managed Microsoft AD domain

To enable LDAPS on your Managed Microsoft AD domain, complete the following steps:

  1. Ensure that you have one of the following IAM roles:

    • Google Cloud Managed Identities Admin (roles/managedidentities.admin)
    • Google Cloud Managed Identities Domain Admin (roles/managedidentities.domainAdmin)

    For more information about Managed Microsoft AD IAM roles, see Access control.

  2. Run the following gcloud CLI command:

   gcloud active-directory domains update-ldaps-settings DOMAIN_NAME 
--certificate-pfx-file=PFX_FILENAME
--certificate-password=PASSWORD

Replace the following:

  • DOMAIN_NAME: The full resource name of your Managed Microsoft AD domain. Full resource name format: projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME.
  • PFX_FILENAME: The PKCS #12-formatted PFX file that specifies the certificate chain used to configure LDAPS.
  • PASSWORD: The password used to encrypt the PKCS #12 certificate. If you don't specify the password, it prompts for the password while running the command.

Verify LDAPS

You can verify that LDAPS is enabled by performing a LDAPS bind. This process uses LDP.exe, which is one of the RSAT tools that you install when you join a VM to domain.

On a domain-joined Google Cloud Windows VM, complete the following steps in PowerShell:

  1. In PowerShell, start LDP.exe and navigate to Connection > Connect.

  2. In the Connect dialog, complete the following steps:

    1. In the Server field, enter your domain name.
    2. In the Port field, enter 636.
    3. Select the SSL checkbox.
    4. Click OK.

    If LDAPS is properly enabled, the connection succeeds.

Monitor a certificate

You can view the Time to Live (TTL) for a certificate chain in Cloud Monitoring. The cert_ttl metric shows the number of valid days remaining for the certificate in the chain with the earliest expiration.

To use Metrics Explorer to view the metrics for a monitored resource, follow these steps:

  1. In the Google Cloud console, go to the Metrics Explorer page within Monitoring.
  2. Go to Metrics Explorer

  3. In the toolbar, select the Explorer tab.
  4. Select the Configuration tab.
  5. Expand the Select a metric menu, enter LDAPS Certificate TTL in the filter bar, and then use the submenus to select a specific resource type and metric:
    1. In the Active resources menu, select Microsoft Active Directory Domain.
    2. In the Active metric categories menu, select Microsoft_ad.
    3. In the Active metrics menu, select LDAPS Certificate TTL.
    4. Click Apply.
  6. Optional: To configure how the data is viewed, add filters and use the Group By, Aggregator, and chart-type menus. For example, you can group by resource or metric labels. For more information, see Select metrics when using Metrics Explorer.
  7. Optional: Change the graph settings:
    • For quota and other metrics that report one sample per day, set the time frame to at least one week and set the plot type to Stacked bar chart.
    • For distribution valued metrics, set the plot type to Heatmap chart.

You can also use the Query Editor to find these metrics.

  1. On the Metric tab, select Query Editor.

  2. In the text field of the Query Editor, enter the following MQL query and select Run Query.

    fetch microsoft_ad_domain
    | metric 'managedidentities.googleapis.com/microsoft_ad/domain/ldaps/cert_ttl'
    | group_by 1m, [value_cert_ttl_mean: mean(value.cert_ttl)]
    | every 1m
    | group_by [resource.fqdn], [value_cert_ttl_mean_aggregate: aggregate(value_cert_ttl_mean)]
    

Disable LDAPS

To disable LDAPS, run the following gcloud CLI command:

gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \
     --clear-ldaps-certificate

Replace DOMAIN_NAME with the full resource name of your Managed Microsoft AD domain. Full resource name format: projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME.