Configuring Microsoft Active Directory for SSL Access
|Note: These procedures were designed and tested using Windows 2003 R2 Standard Edition and work with all versions of Windows 2003.|
|Get the Book|
Secure LDAP (LDAPS) communication is similar to SSL (HTTPS) communication because they both encrypt the data between servers and clients. To accomplish this, the server and clients share common information by using certificate pairs. The server holds the private key certificate and the clients hold the public key certificate. These certificates are a requirement for enabling MS Active Directory (AD) LDAPS communications.
To configure LDAPS for Active Directory you must:
- Ensure that the Active Directory domain is set up and that the ServiceNow server is able to connect to the Active Directory server through the firewall.
- Verify that there is a Certificate Authority (CA) that can issue a certificate for the Domain Controller (DC). If you don't already have a CA infrastructure there are two options.
- Setup a stand-alone CA to issue the certificate
- Request a third party certificate
- If you already have a CA in place, you can generate a certificate from an Internal CA.
2.1 Certificates Have Expiration Dates
All certificates have a defined expiration date which can be viewed in the certificate properties. If the certificate expires, all LDAPS traffic fails, and your users will no longer being able to log into ServiceNow. To resolve this, a new certificate must be issued and installed on your instance.
The default expiration for Microsoft CA certificates is one year. External CA certificates are usually purchased in one year increments. Make note of when your certificate expires, or use the application's built-in Expiration Notification function (located in System LDAP>Certificates) and be sure to have a new certificate ready before the old one is scheduled to expire. This will give you time to install and test the new certificate before the old one expires.
3.1 Step 1. Setup a Stand-Alone CA
Both of the required services (IIS & CA) can be disabled after issuing the certificate(s) so don't worry about addition resource utilization.
- Install Internet Information Server (IIS).
- Install Certificate Authority Services in stand-alone mode.
- Verify Certificate Services web application is installed and active.
- Using the IIS Manager console, expand local computer and select Web Sites. The state of Default Web Site should be Running. You should also see a CertSrv application listed under the Default Web Site. If the site is not running or the application is missing you must resolve the issue before proceeding.
3.2 Step 2. Generate a Certificate from an Internal CA
These procedures apply to Microsoft CA Services. If you have a different internal CA platform see your local CA administrator for assistance.
Create a certificate request
- From the DC you want to create a certificate for, browse to http://localhost/certsrv or specify the CA server name if on a remote server.
- From the Welcome page, click Request a certificate and select advanced certificate request.
- On the Advanced Certificate Request page, select Create and submit a request to this CA.
- Complete the Advanced Certificate Request using the following parameters:
- Name is the fully qualified domain name (FQDN) of the DC that is requesting the certificate.
- E-Mail is the email address of the person responsible for the certificate.
- Company is your company name.
- Type of Certificate Needed must be set to Server Authentication Certificate.
- Key Options settings:
- Create new key set is selected.
- CSR set to Microsoft RSA SChannel Cryptographic Provider.
- Key Usage value is Exchange.
- Key Size 1024 is our recommendation. ServiceNow supports up to 2048.
- Automatic key container name is selected.
- Store certificate in the local computer certificate store is selected.
Once you submit, you are directed to a page that provides your Request ID, make note of this ID.
Process the Pending Request
- Open the Certificate Authority management console.
- Expand the server node and select Pending Requests.
- Locate the Request ID for the request you just submitted, right-click and select All Tasks/Issue to approve the request and issue the certificate.
Retrieve the Issued Certificate
- Do one of the following:
- From the DC you made the request from, browse to http://localhost/certsrv
- If on a remote server, specify the CA server name.
- Select View the status of a pending certificate request.
- Select the link to the new certificate.
- Select the link to Install this certificate.
3.3 Step 3. Request a Third Party Certificate
Certificates from external CAs can be purchased for as little as $30 per year. For detailed procedures on requesting a certificate from an external CA see Microsoft article 321051. Once received, installed, and tested, follow the export procedure.
3.4 Step 4. Test the LDAPS Connectivity Locally
- Ensure that Windows Support Tools are installed on the DC. The Support Tools setup (suptools.msi) can be found in the \Support\Tools directory on your Windows Server CD.
- Select Start> All Programs>Windows Support Tools>Command Prompt. On the command line, type ldp to start the tool.
- From the ldp window, select Connection>'Connect and supply the local FQDN and port number (636). Also select the SSL.
If successful, a window is displayed listing information related to the Active Directory SSL connection. If the connection is unsuccessful, try restarting your system, and repeat this procedure.
3.5 Step 5. Export the Public Key Certificate
- From a current or new MMC console, add the Certificate (Local Computer) snap-in.
- Open the Personal/Certificates folder.
- Locate the new certificate. The Issued To column shows the FQDN of the DC.
- Right-click the certificate and select All Tasks/Export.
- Export to DER or Base-64 format. Name the file using the format: MyCompany.cer. This is the public key certificate the needs to be used on the ServiceNow instance to securely communicate with your DC.
- LDAPS should be tested locally before submitting the certificate to ServiceNow.
If your Certificate Authority is not a trusted 3rd party vendor, you must export the certificate for the issuing CA so we can trust it, and by association, trust the LDAP server certificate. For MS Certificate Services users, you can view the certificate path by viewing the certificate in the console used above to export, select the Certificate Path tab. You must export all certificates in the chain. You can find the CA certificate in the same folder as the LDAP certificate by looking for the name in the Certificate Path. Submit all certificates for importing to your instance.
3.6 Step 6. Import the Public Key Certificate into the ServiceNow Application
See Uploading an LDAP Certificate to upload the certificate into the application.