Sign in Subscribe
Authentik

Authentik Security, Part Ten

David Buhlman

2 min read
Authentik Security, Part Ten
Photo by Philipp Katzenberger / Unsplash

Configure Authentik

Enable LDAPS

Part 2. Configure Secure LDAPs on Domain Controller

I made some progress the past few days so hopefully now I can make some progress and finish up part two.

Steps performed on desktop via Server Manager

  • Right click on DC-04 and select Certificate Templates
  • Click on Manage
  • Right click on Kerberos Authentication
  • Select Duplicate Template
  • On the General tab
    • Template Display Name: LDAPS
    • Validity Period: 1 Year
    • Renewal Period: 6 weeks
    • Publish Certificate in Active Directory: Yes
  • I move to the Request Handling tab
    • Allow private key to be exported
  • I move to the Subject Name tab
    • Check User principal name (UPN)
    • Check Service principal name (SPN)
  • I click on OK
  • The new certificate is listed in the list as LDAPs
  • I close the Certificate Template Console
  • In Certification Authority I right click Certificate Templates
  • I select New
  • Certificate Template to Issues
  • I select LDAPs
    Steps performed on desktop via mmc.exe
  • I click on File and select Add or Remove Snap-In
  • I select Certificates and click Add
  • I select Computer account and click Next
  • I select Another computer and browse to DC-04
  • I click OK

It throws out errors about permissions. Man, I am having a hell of a time doing this remotely on a core server. Maybe I can have more success if I try from DC-02.

Steps performed on DC-02 via mmc.exe

  • I click on File and select Add or Remove Snap-In
  • I select Certificates and click Add
  • I select Computer account and click Next
  • I select Another computer and browse to DC-04
  • I click OK

Well that's awesome, I can connect to DC-04 from DC-02 without any issue, so it must have been some permission issue connecting from my normal account on my desktop.

  • I select the first console, Local Computer
  • I choose Personal
  • I right click on Certificates and click on All Tasks
  • I click on Request New Certificate
  • This brings up the Certificate Enrollment Wizard
    • I click on Next
    • I click on Next
    • I select LDAPs
    • I click on Enroll
    • Status: Succeeded
    • I click Finish

Steps performed on DC-02 via PowerShell

  • New-Item -Path C:\ -Name Certs -ItemType Directory
  • Get-ChildItem Cert:\LocalMachine\My\ | Select-Object ThumbPrint, Subject, NotAfter, EnhancedKeyUsageList
  • $password = ConvertTo-SecureString -String "XXXXXXXX" -Force -AsPlainText
  • Get-ChildItem -Path Cert:\LocalMachine\My\XXXXXXXXX | Export-PfxCertificates -FilePath C:\Certs\LDAPS.pdx -Password $password
  • Move-Item "HKLM:\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\XXXXXXXX" "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\MY\Certificates\"
    • The registry key at the specified path does not exist

Oh I see the trouble, I had a damn typo!

  • Move-Item "HKLM:\SOFTWARE\Microsoft\SystemCertificates\My\Certificates\XXXXXXXX" "HKLM:\SOFTWARE\Microsoft\Cryptography\Services\NTDS\SystemCertificates\MY\Certificates\"

This was the last step in part 2. I should now be able to connect to LDAPs with SSL. When I test this from DC-02 I am able to successfully connect to DC-04. I can also connect to DC-02, DC-03, and DC-04 from my desktop! Awesome! That's a great note to stop today on.