Skip navigation

AD LDS (aka ADAM) is a general purpose LDAP directory that you can use for free with Windows Server. It’s used for thing that you would normally use an LDAP server for…If you don’t know what that is then I promise you don’t care.

If you do know what an LDAP server is useful for…and you have the need…it’s a feature that can be installed from the Server Manager UI in 2008/ 2008 R2 or PowerShell in Server 8 Preview. (Add-WindowsFeature ADLDS)

Depending on how you deploy LDS you will need to take different steps to enable SSL. I’m writing this because I actually couldn’t find an example on the web that used LDS instead of the older ADAM on 2K3. It’s the same thing, mind you…just different names and a slightly different UI experience. The easiest way to go about this would be to get a machine account certificate from AD CS or whatever hoops you have to jump through to get a server auth certificate. That is, the Enhanced Key Usage needs to be both Client Authentication ( and Server Authentication ( The certificate should be installed in the machine’s personal certificate store like so:


Once that is in place you need to give your service account access to that key. Most deployments are going to use Network Service. Right click on the certificate and choose “Manage Private Keys…”


This will bring up a security dialog that allows you to add users/groups and set permissions on the private key of the machine identity certificate. Add Network Service and set the permission to Allow Read.


I still use LDP for everything…you can use what you like…Fire up an LDAP browser and make sure you can connect via SSL.

It goes without saying that if you are using a domain account as your service account identity then you will need to take further steps to ensure that Kerberos works by setting the Service Principal Name to the correct value. You should also install the certificate in the personal store of your service account if that is your model.

In all cases you will need to make sure that the certificate is issued to the DNS name that you will be connecting to. Using a vanity domain name that will be load-balanced would require a service account and Kerberos configuration. These steps aren’t that radically different from getting SSL and Kerberos working for IIS, though…So have fun with that.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: