Enable LDAPS

This page shows you how to enable LDAP over SSL/TLS (LDAPS) for Managed Service for Microsoft Active Directory (Managed Microsoft AD) to make your LDAP traffic confidential and secure. By default, the communication between Managed Microsoft AD and client applications is not encrypted for simple LDAP binds.

To enable LDAPS, you must have a certificate. This page also describes the specifications for the required certificate and how to verify and monitor it.

Request a certificate

You can request a certificate from a Public Certificate Authority (CA), Enterprise CA, Google Cloud Certificate Authority Service or use a self-signed certificate. If you use a self-signed certificate, follow the Microsoft documentation linked to the PowerShell commands in the following sections.

You can create a self-signed certificate with the New-SelfSignedCertificate command on Windows, OpenSSL, or MakeCert.

Certificate requirements

Your certificate must meet the following requirements:

  • The following table outlines the requirements for creating a self-signed certificate and lists the associated parameters used in the New-SelfSignedCertificate command. Note that the parameter or field names can vary based on how you create the certificate.
Parameter Description
Subject (subject name) It must be the wildcard-prefixed name of your Managed Microsoft AD domain to ensure that the service remains available during an upgrade or restore process. This is because domain controllers use random names that change during an upgrade or restore process. For example, if the domain name is ad.mycompany.com, the subject name must be CN=*.ad.mycompany.com
DnsName (DNS name or subject alternative name) It must include only the following:
  • Wildcard name of your Managed Microsoft AD domain
  • Managed Microsoft AD domain name
  • For example, "CN=*.ad.mycompany.com","CN=.ad.mycompany.com"
    KeySpec It must be set to 1 which denotes that it can be used for both digital signature and key exchange.
    KeyLength The minimum key size depends on the cryptographic algorithm.
  • RSA: At least 2048 bits
  • ECDSA: At least 256 bits
  • ED25519: 512 bits (Fixed length)
  • KeyUsage It must include "digital signatures" and "key encipherment".
    TextExtension or EnhancedKeyUsageExtension It must have OID=1.3.6.1.5.5.7.3.1 for server authentication.
    NotBefore The time from which the certificate is valid. The certificate must be valid when enabling LDAPS.
    NotAfter The time after which the certificate is not valid. The certificate must be valid when enabling LDAPS.
    KeyAlgorithm (signature algorithm) Weak signature algorithms like SHA-1, MD2, MD5 are not supported.
    • Issuing chain: The entire certificate chain must be uploaded and must be valid. The chain must be linear and cannot have multiple chains.

    • Certificate format: The format must meet Public-Key Cryptography Standards (PKCS) #12. You must use a PFX file.

    Request from a Public CA or Enterprise CA

    To request a certificate from a Public CA or Enterprise CA, follow these steps.

    Accept the certificate on the same VM where the request is generated.

    Export the certificate in PKCS #12 format

    To export the certificate in PKCS #12 format (as a PFX file), complete the following steps:

    1. In Windows, navigate to your certificates in the Microsoft Management Console (MMC).

    2. Expand Local Computer Certificates, and navigate to Personal > Certificates.

    3. Right-click the certificate you created to enable LDAPS, and select All Tasks > Export.

    4. In the Certificate Export Wizard dialog that appears, click Next.

    5. On the Export Private Key page, select Yes to export the private key.

    6. On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) and Include all certificates in the certification path if possible checkbox. Click Next.

    7. On the Security page, select Password checkbox and enter a strong password to protect the certificate. Click Next. This password is required when configuring LDAPS on your Managed Microsoft AD domain.

    8. On the File to Export page, enter the destination name and path for the PFX file to export. Click Next.

    9. Click Finish.

    To export a self-signed certificate with the private key in PKCS #12 format as a PFX file, use the Export-PfxCertificate command and to export the self-signed certificate as a PEM file, use the Export-Certificate command.

    Distribute the issuer chain to client computers

    For LDAPS to function, all client computers must trust the issuer of the LDAPS certificate. For a well-known Public CA, the client computers might already trust the issuer chain. If the chain is not trusted, complete the following steps to export the issuer chain:

    1. In Windows, navigate to your certificates in the Microsoft Management Console (MMC).

    2. Expand Local Computer Certificates and navigate to Personal > Certificates. Double-click the LDAPS certificate.

    3. In the Certificate window, click Certification Path tab.

    4. On the Certification Path tab, select the root certificate in the path.

    5. Click View Certificate.

    6. Click Details tab, and then click Copy to File...

    7. In the Certificate Export Wizard dialog that appears, select Base-64 encoded X.509 and click Next.

    8. Select the filename and location for the certificate chain, and click Finish.

    9. To copy the certificate to the client computer that establishes LDAPS connection, use the Certificate Import Wizard dialog to import the certificate in the "Local Machine" store. Alternatively, you can distribute the certificate chain of issuing authorities to the client computers using Group Policy in Windows.

    To import a self-signed certificate into the trusted root store of the local machine, use the Import-Certificate command.

    Enable LDAPS on a Managed Microsoft AD domain

    Before you enable LDAPS on your Managed Microsoft AD domain, do the following:

    1. Ensure that you have one of the following IAM roles:

      • Google Cloud Managed Identities Admin (roles/managedidentities.admin)
      • Google Cloud Managed Identities Domain Admin (roles/managedidentities.domainAdmin)

      For more information about Managed Microsoft AD IAM roles, see Access control.

    To enable LDAPS on your Managed Microsoft AD domain, complete the following steps:

    Console

    1. In the Google Cloud console, go to the Managed Microsoft AD page.
      Go to Managed Microsoft AD
    2. On the Domains page, select a domain from the list of instances to enable LDAPS.
    3. In the LDAPS section of the Domain details page, click Configure LDAPS.
    4. In the Configure LDAPS pane, enter the location of the PFX file and the password that you used to export the certificate in PKCS #12 format, and then click Configure LDAPS.

    gcloud

    Run the following gcloud CLI command:

    gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \
        --certificate-pfx-file=PFX_FILENAME \
        --certificate-password=PASSWORD
    

    Replace the following:

    • DOMAIN_NAME: The full resource name of your Managed Microsoft AD domain. Full resource name format: projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME.
    • PFX_FILENAME: The PKCS #12-formatted PFX file that specifies the certificate chain used to configure LDAPS.
    • PASSWORD: The password used to encrypt the PKCS #12 certificate. If you don't specify the password, it prompts for the password while running the command.

    This operation can take up to 20 minutes to complete. To update the certificate, repeat these steps with the updated PFX file.

    Verify LDAPS

    You can verify that LDAPS is enabled by performing a LDAPS bind. This process uses LDP.exe, which is one of the RSAT tools that you install when you join a VM to domain.

    On a domain-joined Google Cloud Windows VM, complete the following steps in PowerShell:

    1. In PowerShell, start LDP.exe and navigate to Connection > Connect.

    2. In the Connect dialog, complete the following steps:

      1. In the Server field, enter your domain name.
      2. In the Port field, enter 636.
      3. Select the SSL checkbox.
      4. Click OK.

      If LDAPS is properly enabled, the connection succeeds.

    Monitor a certificate

    You can view the Time to Live (TTL) for a certificate chain in Cloud Monitoring. The cert_ttl metric shows the number of valid days remaining for the certificate in the chain with the earliest expiration.

    Console

    To view the metrics for a monitored resource by using the Metrics Explorer, do the following:

    1. In the navigation panel of the Google Cloud console, select Monitoring, and then select  Metrics explorer:

      Go to Metrics explorer

    2. In the Metric element, expand the Select a metric menu, enter LDAPS Certificate TTL in the filter bar, and then use the submenus to select a specific resource type and metric:
      1. In the Active resources menu, select Microsoft Active Directory Domain.
      2. In the Active metric categories menu, select Microsoft_ad.
      3. In the Active metrics menu, select LDAPS Certificate TTL.
      4. Click Apply.
    3. To remove time series from the display, use the Filter element.

    4. To combine time series, use the menus on the Aggregation element. For example, to display the CPU utilization for your VMs, based on their zone, set the first menu to Mean and the second menu to zone.

      All time series are displayed when the first menu of the Aggregation element is set to Unaggregated. The default settings for the Aggregation element are determined by the metric type you selected.

    5. For quota and other metrics that report one sample per day, do the following:
      1. In the Display pane, set the Widget type to Stacked bar chart.
      2. Set the time period to at least one week.

    You can also click Monitoring in the LDAPS section of Domain details page to navigate to Metrics Explorer.

    You can also use the Query Editor to find these metrics.

    1. On the Metric tab, select Query Editor.

    2. In the text field of the Query Editor, enter the following MQL query and select Run Query.

    fetch microsoft_ad_domain
    | metric 'managedidentities.googleapis.com/microsoft_ad/domain/ldaps/cert_ttl'
    | group_by 1m, [value_cert_ttl_mean: mean(value.cert_ttl)]
    | every 1m
    | group_by [resource.fqdn], [value_cert_ttl_mean_aggregate: aggregate(value_cert_ttl_mean)]
    

    Disable LDAPS

    To disable LDAPS, complete the following steps:

    Console

    1. In the Google Cloud console, go to the Managed Microsoft AD page.
      Go to Managed Microsoft AD
    2. On the Domains page, select the domain from the list of instances for which you want to disable the certificate.
    3. In the LDAPS section of the Domain details page, click Disable.

    gcloud

    Run the following gcloud CLI command:

    gcloud active-directory domains update-ldaps-settings DOMAIN_NAME \
        --clear-ldaps-certificate
    

    Replace DOMAIN_NAME with the full resource name of your Managed Microsoft AD domain. Full resource name format: projects/PROJECT_ID/locations/global/domains/DOMAIN_NAME.

    This operation can take up to 20 minutes to complete. To reenable LDAPS, you must reupload the certificates.

    What's next