Generating Server authentication certificate for domain controller to be used in Ldaps authentication of ISA server


ISA server 2006 has ldap authentication which is used in scenarios when ISA server is not part of the domain and needs to authenticate a user from an ldap server(domain controller) to provide access to various services published through ISA server e.g. Exchange services, share point,web publishing. when ISA server is required to authenticate users using ldap authentication then a simple ldap protocol is required. But in case if you are publishing a service like OWA and use FBA with LDAP authentication and want to use password change feature provided with the FBA then you need ldaps connection with the domain controller. In case of ldaps connection we need to have server authentication certificate installed on the domain controller and issuing certificate authority certificate installed on the domain controller and ISA server.

In this post I would discuss how we can generate a server authentication certificate to be installed on the domain controller. Name of my lab setup domain controller is corpa06.corpa.local  and we need to generate a certificate that will be issued to this name.

I have my CA installed on my domain controller itself. So what I would do to generate a server authentication certificate is open up browser on domain controller and open this URL in it http://localhost/certsrv and then  I would get following window

then click on request a certificate link and you would get following page

click on advance certificate request we will get following page

click on create and submit a request to this CA link and we will get following page

change certificate template to web server with private key exportable as shown below

also fill in the values corresponding to your organisation , most important part is name field and I have put corpa06.corpa.local name which is my domain controller's name and entered other field values as example. Next check the box Mark keys as exportable and store certificate in the local computer certificate store and then and certificate friendly name as shown below in second part of the above page

Then click on submit and you will get a prompt asking you if you want to request the certificate now click on yes on that mine is a enterprise CA so i got my certificate issued immidiately else you need to go to the CA and issue the certificate from there . After  certificate is issued you would get following page

then click on install certificate and it first prompt us if we want to add the certificate,say yesand it would install the certificate in the computer personal store on the domain controller. It can be verified in the certificate MMC as shown below(highligheted certificate)

if we double click on this certificate we will see following window

which certificate issued to domain controller for server authentication. Let us also look at the certification path

which shows the issuing certification authority and name of the server to whom the certificate is issued.

So this is how we would generate a server authentication certificate to be used in ldaps connection for password change feature.


Comments (3)

  1. err... says:

    You started this article saying you were going to request a Domain Controller Authentication certificate and ended up getting a web server certificate instead.  Would like to see the actual request for the Domain Controller Authentication certificate instead.

  2. 一峰 says:

    "CA installed on my domain controller " ……………………Absolutely Most Brilliant

  3. doofus says:

    hahaha this sucks

Skip to main content