Configuring Secure Connections Between the Server and the Active Directory

LDAP Lightweight Directory Access Protocol is used to read from and write to the Active Directory. By default, LDAP traffic is transmitted unsecured. You can make LDAP traffic confidential and secure by using SSL/TLS technology. You can enable LDAP over SSL (LDAPS) by installing the properly formatted certificate from the Microsoft CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment..

To enable a new user in Active Directory, you must be using an SSL connection (you can only set a password in Active Directory if you are connected using SSL).

If you are not connected using SSL, then you can add a new user to Active Directory. However, that user is not enabled until an administrator connects using SSL and sets the user's password. In Active Directory you can issue an LDAPS certificate with the following properties.

  • An Enhanced Key Usage extension that includes the Server Authentication:

    Copy
    (-1.3.6.1.5.5.7.3.1- OID).
  • A Fully Qualified Domain Name (FQDN) for the domain controller as in the following:

    Copy
    cn = directory

In addition, you can configure the LDAPS protocol between ActivID CMS and Active Directory. For more information, see Configuring Connections to the LDAP Directory Using LDAPS Protocol.

Important: If you are using a Microsoft CA The Certificate Authority (CA) issues and manages security credentials and public keys for message encryption in a networks environment. based on Windows Server 2012, then make sure that the Windows Domain Controllers have a certificate issued with the Domain Controller Authentication template or the Domain Controller template. If you only issue a certificate from the Directory E-mail Replication template, then the template does not permit the Server authentication key usage, and thus does not support LDAPS.

To configure secure connections, perform the following steps.

  1. Log on to the Operator Portal, select the Configuration tab, and then click Repositories. The Repositories Management page appears:

  2. In the Directories section of the page, in the Type column, locate the relevant Microsoft Active Directory instance, and in the Action column, click Update. The Directory Update page is displayed.

  3. Port—Enter 636 for LDAPS connections.

  4. User Password—Enter the appropriate password for the account being referenced.

  5. Secure Connection—Select Yes. The CA Root Certificate box is displayed.

    Note: Starting with ActivID CMS 5.2, the Strict mode option (found in previous versions) is no longer available since this mode is now enabled by default. As a result, it is not possible to establish a connection if the certificate subject name or alternative subject name does not match the server hostname.
  6. Obtain the CA Root Certificate:

    1. Connect to Microsoft Certificate Services. (Log on with the ActivID CMS User account or the same account as configured for Active Directory in ActivID CMS.) For example: http://<ca.company.com>/certsrv.
    2. Click Download a CA Certificate, Certificate Chain, or CRL.
    3. CA certificate list—Select the relevant CA.

    4. Encoding method—Select Base 64.

    5. Click Download CA certificate. The File Download dialog is displayed.

    6. Click Save.

    7. In the File name box, enter Root.txt and save.

    8. Open the Root.txt file and copy its content.

  7. Paste the content into the CA Root Certificate box in the Directory Update page of the Operator Portal. For example:

  8. Click Test. The connection test results will be displayed in the Test Report box.

  9. Click Update (not illustrated),

  10. In the Operator Portal, select the Configuration tab, and then click Customization.

  11. On the Customization page, from the Select a Topic drop-down list, select User Attributes.

    Make sure that ActivID CMS is configured to require the following LDAP attributes to create the user when it is used with Active Directory:

    • sAMAccountName (User ID)

    • cn (Common Name)

    • sn (Last Name)

    • givenName (First Name)

    • mail (Email)

    By default, a user created in ActivID CMS is disabled in Active Directory. To enable the ActivID CMS User in Active Directory, you must set a user password using the Operator Portal

    To set the user password:

    1. Display Name—Enter Password.

    2. LDAP Attribute—Type unicodePwd.

    3. Type—Select Password.

    4. Mandatory—Select Yes.

    5. Click Add. The Unicode password is added to the Attributes for User Management list.

  12. Note: Now, you can set the password attribute when you create a user on the Issuance to New User page of the Operator Portal. The user created with ActivID CMS is an enabled user, with a defined password. Also, you can set up the list of default attributes and define them in the AIMSEE.USERDEFATTRS_UDA table. By default, userAccountControl is the only attribute set with the appropriate value (mask) to enable a user, as defined in Microsoft documentation.
  13. Click Set.