Enabling LDAPS on Windows AD 2012


  • Hi All,

    We have plan to enable LDAPS in Active Directory for communication between security devices and Active directory for LDAP queries.

    We have Internal windows CA Server. <o:p></o:p>

    AD version windows 2012<o:p></o:p>

    CA Version windows 2012<o:p></o:p>

    Our Queries<o:p></o:p>

    1. Enabling LDAPS on AD makes any impact with client authentication (Windows 10 AD join system authentication).<o:p></o:p>
    2. Any Document is there for enabling LDAPS on AD using Windows CA. <o:p></o:p>

    Thanks, Mariappan Shanmugavel

    Wednesday, December 28, 2016 11:18 AM

All replies

  • Hello,

    1. Depends on your scenario and chosen setup. In general - No. Authentication uses kerberos and not LDAP(s). Domain join also rarealy gets affected, as enabling LDAPs does not automatically mean that you disable LDAP. These are separate actions.

    2. Very good article describing LDAPS setup:


    • Edited by Avendil Wednesday, December 28, 2016 1:02 PM
    • Proposed as answer by Todd Heron Wednesday, December 28, 2016 1:03 PM
    Wednesday, December 28, 2016 1:02 PM
  • To enable LDAPS, you can use the Domain Controllers template from your CA and enable auto-enrollment on your DCs. That will make them request for certificates and, once they have them, LDAPS would be enabled. When you enable LDAPS, LDAP queries won't fail as you can consider it as an addition and not a replacement and thus there would be no impact on your environment. However, for your systems that will use LDAPS, it is important that you trust the root or subordinate CA certificate instead of the DCs certificates so that you don't get impacted once the certificates are renewed. You can refer to this document for more information:

    This posting is provided AS IS with no warranties or guarantees , and confers no rights.

    Ahmed MALEK

    My Website Link

    My Linkedin Profile

    My MVP Profile

    Wednesday, December 28, 2016 8:38 PM