Lightweight Directory Access Protocol over SSL (LDAPS) is used in Forefront Threat Management Gateway (TMG) when the decision has been made not to join TMG to the Active Directory domain. LDAP is a protocol used to read and write to Active Directory and, by default, is not secure. LDAPS is secure but requires some extra steps to get it working correctly.
Server Authentication Certificates
The first requirement to get LDAPS set up and working correctly between TMG and your domain is to issue Server Authentication certificates to the DCs. If you have PKI in your environment then it is entirely possible the Domain Controllers already have these. They must be issued to the fully qualified domain name (FQDN) of the DCs. They must be installed in the Local Computer’s Personal certificate store (See Figure 1) and should exist on any DC that you want TMG to use for authentication.
TMG Must Trust Issuer of the Server Authentication Certificate
The second requirement is that TMG must trust the issuing Certification Authority (CA) of the certificates that were issued in step 1 above. You can export this certificate from the certificate store on your Domain Controller and then import it into TMG’s certificate store. You must install it into the Local Computer’s Personal certificate store on TMG and it should be under the proper branch, which is Trusted Root Certification Authorities (See Figure 2).
Define the LDAP Servers on TMG
The third thing you will need to configure is an LDAP Server set on your TMG Server. By doing this you are defining which DC or DCs that TMG will used for authentication.
To define the LDAP Servers:
1.) Go into your TMG MMC
2.) Click on the Firewall Policy branch, click on the Tasks tab in the far right pane, and then choose “Configure Authentication Server Settings” (See Figure 3)
3.) Click on the LDAP Servers tab and choose “Add”
4.) Give your LDAP server set a name
5.) Add any domain controllers you will be using. Keep in mind that the name MUST be the fully qualified name (FQDN) of the DC and you must ensure it is resolvable from TMG.
6.) Type the Active Directory domain name in the appropriate box
7.) Check the “Connect LDAP servers over secure connection” box
8.) Provide valid credentials in the domain in the form domain\username. These credentials will be used to verify the account status of your external users that are accessing your published web sites in TMG.
9.) Create a Login Expression and associate it with the LDAP Server set you just created
The completed LDAP Server set will look similar to Figure 4.
Configuring 3rd Party Firewalls that Separate TMG from the Domain
The final requirement in getting this to work is that you have to ensure communications between TMG and the Domain Controllers. Companies that decide TMG should not be part of the Active Directory Domain often decide to put TMG in their DMZ and use another firewall to isolate it. You must ensure that the proper rules are in place for proper communication. LDAPS requires TCP Port 636 be open in order to function properly.
A quick an easy way to verify that you have all of the requirements in place is to use the LDP.exe tool. It is normally installed by default on your TMG server. To use it, go to a command prompt, and then type ldp. You should see the tool pop up as shown in Figure 5.
Test the LDAPS connection
1.) Choose “Connection” and then “Connect”
2.) In Server put in the fully qualified domain name of the DC you want to test the LDAPS connection to
3.) Under “Port” put 636
4.) Check the “SSL” Box
See Figure 6
A successful connection will look like Figure 7.
An unsuccessful connection will resemble Figure 8.
If you get an unsuccessful connection attempt, go back through the steps and verify that everything has been done correctly.
In this article I explained how to set up and troubleshoot LDAPS authentication on Forefront TMG. I also showed you how to use the LDP.exe tool to verify that the requirements are correctly in place from the TMG perspective. As always please let me know if this article helped you. Cheers!