Print topic

Configure Active Directory Authentication with LDAP over SSL

You can use both WatchGuard authentication methods and third-party authentication methods with your WatchGuard SSL device. One available third-party method is Active Directory. The Active Directory authentication method is an LDAP bind authentication method that allows users to change their domain passwords through the WatchGuard SSL Application Portal and enforces strong password restrictions. This functionality is only supported with Microsoft Active Directory (AD) servers.

To use this method, you must configure the authentication method for LDAP over SSL communication because this functionality is only allowed over SSL.

Configure the Active Directory server with LDAP over SSL

You can use your existing Active Directory (AD) server to authenticate users to your WatchGuard SSL Application Portal. Because the WatchGuard SSL Active Directory authentication method uses LDAP over SSL, before you configure your SSL device, you must first make sure that LDAP over SSL (also known as LDAPS or LDAP over TLS) is enabled on your Active Directory server. LDAP connections are not enabled by default.

LDAP over SSL is also known as LDAP/S, LDAPS, and LDAP over TLS. LDAP over SSL simply means that the LDAP connection between the LDAP client (in this case, the WatchGuard SSL device) and LDAP server (the Active Directory server) is authenticated by TLS (Transportation Layer Security), and the data exchanges are encrypted by the different cipher suites supported by the TLS protocol.

To enable LDAP over SSL, you can use one of two methods:

We recommend that you do not use both sets of instructions. If you choose to use both procedures, the process can be complicated and prone to failure.

WatchGuard provides interoperability instructions to help our customers configure WatchGuard products to work with products created by other organizations. If you need more information or technical support about how to configure a non-WatchGuard product, see the documentation and support resources for that product.

For the subsequent procedures, Active Directory is installed on a Windows Server 2003 computer; the server name is 2003ADsrv, and the domain name is ADexample.com.

Importing a CA Certificate for your Active Directory Server

We strongly recommend that you import a CA certificate for your Active Directory server to your SSL device. This is required for the SSL device to validate the certificate used by the LDAP/SSL services on your Active Directory server. Without the imported CA certificate, the SSL device cannot detect a man-in-the-middle attack between the SSL device and the LDAP/SSL server.

For instructions, see Add a Certificate Authority to your SSL device.

Before you begin

Make sure your server has these applications and tools configured, with the services started:

After you have verified the correct applications and tools are configured, you export the CA certificate from your Windows Certificate Server.

Verify the status of IIS

IIS must be installed and started correctly before you enable LDAP over SSL. If it is not, when you run the certsrv command in the process to enable LDAP over SSL, you receive a 404 error message.

  1. Select Start > Programs > Administrative Tools > Internet Information Services (IIS) Manager.
  2. Expand your server entry in the list.
  3. Select Web Sites.
  4. For Default Web Site, verify the State is Running.

Install Certificate Services on your AD server

If Certificate Services is already installed on your AD server, you can continue to the next procedure. Make sure that both the Certificate Services CA and Certificate Services Web Enrollment Supportoptions are enabled.

When you enable Certificate Services, you can select to use either an Enterprise root CA or a Stand-alone root CA. We recommend you choose a Stand-alone root CA, which is simpler to use and acceptable for most use cases.

From your Windows 2003 AD Server computer:

  1. Select Start > Control Panel > Add or Remove Programs.
    The Add or Remove programs dialog box appears.
  2. Select Add/Remove Windows Components.
    The Windows Components Wizard dialog box appears.
  3. In the Components list, select the Certificate Services check box.
    A notification message appears.
  4. Click Yes.
  5. Click Details.
    The Certificate Services dialog box appears.
  6. Select the Certificate Services CA and Certificate Services Web Enrollment Support check boxes.
  7. Click OK.
    The Certificate Services dialog box closes and the Windows Components Wizard dialog box appears.
  8. Click Next.
    The CA Type page appears.
  9. Select Stand-alone root CA.Click Next.
  10. Complete the wizard and finish the Certificate Services installation.

Export the CA Certificate from your Windows Certificate Server

From your Windows 2003 AD Server computer:

  1. Select Start > Program > Administrative Tools > Certification Authority.
    The Certification Authority dialog box appears.
  2. Right-click the name of your Certificate Authority. Select Properties.
  3. On the General tab, click View Certificate.
    The Certificate dialog box appears.
  4. Select the Details tab.
  5. Click Copy to file.
    The Certificate Export Wizard appears.
  6. Click Next.
    The Export File Format page appears.
  7. Select the Base-64 encoded X.509 (CER) file format.
    The File to Export page appears.
  8. To save the certificate file to the default location, in the File Name text box, type a name for the certificate.

    To select a different location to save the file, click Browse. Select the location and type a file name for the certificate.

    For example, cacert.cer.
  9. Click Next.
    The Completing the Certificate Export Wizard page appears.
  10. Review the certificate information. Click Finish.

Enable your AD Server for LDAP over SSL

To enable your AD server to use LDAP over SSL you can request the certificate from the Certificate Authority and use the Certificate Services Web UI to import it.

Request a certificate from the CA

From your Windows 2003 AD Server computer:

  1. Open Internet Explorer and go to http://<servername>/certsrv.

    Replace <servername> in the web address with the host name or IP address of your AD server.

    For this example, type http://2003ADsrv/cersrv.

If a certificate warning appears, add the URL to the list of trusted sites in Internet Explorer.

Select Tools > Internet Options. Select the Security tab. Add the exception.

  1. Click Request a Certificate.
    The Request a Certificate page appears.
  2. Click Submit an advanced certificate request.
    The Advanced Certificate Request page appears.
  3. Click Create and submit a request to this CA.
  4. In the Name text box, type the fully qualified domain name of your server. Make sure the name is correct and in the FQDN format.

    For this example, type 2003ADsrv.ADexample.com.
  5. In the Type of Certificate Needed drop-down list, select Server Authentication Certificate.
  6. Configure Key Options:
    1. Select Create new key set.
    2. From the CSP drop-down list, select Microsoft RSA SChannel Cryptographic Provider.
    3. Set the Key Usage to Exchange.
    4. In the Key Size text box, type 1024.
    5. Select Automatic key container name.
    6. Select the Mark keys as exportable check box.
    7. Make sure the Enable strong private key protection check box is not selected.
    8. Select the Store certificate in the local computer certificate store check box.
  7. Configure Additional Options:
    1. Set the Request format to PKCS10.
    2. From the Hash Algorithm drop-down list, select SHA-1.
    3. Clear the Save request to a file check box.
      If you select this check box, you must manually submit the request and manually import the certificate to your server. When you do not select this option, the request is submitted automatically and the certificate is automatically imported to your server.
  8. Click Submit.
    The certificate request is submitted.

Issue the certificate

After you have requested the certificate from the CA, you must issue the certificate before you can import it.

From your Windows 2003 AD Server computer:

  1. Select Start > Programs > Administrative Tools > Certification Authority.
  2. Expand the Certification Authority list.
  3. Select the Pending Requests folder.
  4. Select the pending request for the certificate you want to issue.
  5. Right-click the request and select All tasks > Issue.
    The CA issues the certificate.

Import the certificate

After you have requested the certificate from the CA, you can import it to the server certificate store. These instructions use the Internet Explorer web browser.  If you use a different web browser the instructions might be different.

From your Windows 2003 AD Server computer:

  1. Open Internet Explorer and go to http://<servername>/certsrv.

    Replace <servername> in the web address with the host name of your AD server.

    For this example, type http://2003ADsrv/cersrv.
  2. Click View the status of a pending certificate request.

    The View the Status of a Pending Certificate Request page appears.
  3. Select the certificate you want to import.
  4. Follow the instructions to import the certificate.
  5. Reboot your Windows 2003 AD Server computer.

Test the LDAP over TLS connection

To test if LDAP over TLS works properly, use the ldp.exe tool.

  1. Open a command prompt and type ldp.

    The LDP application appears.
  2. Select Connection > Connect.

    The Connect dialog box appears.
  3. In the Server text box, type the name of your AD server.

    For this example, type 2003ADsrv.
  4. In the Port text box, type 636.
  5. Select the SSL check box.
  6. Click OK.

    A list of attributes appears, which indicates a successful connection. Some errors can also appear, but they are not fatal errors and do not indicate a problem with the connection.

If a connection error appears, there is an incorrect setting in the configuration. Review your configuration with the steps in the previous procedure to correct any errors. For the Active Directory authentication method to work correctly, LDAP over SSL must also work correctly.

Verify the HTTP SSL properties

The last step to configure LDAP over TLS for your AD server is to make sure the HTTP SSL service is running correctly.

From your Windows 2003 AD Server computer:

  1. Select Start > Administrative Tools > Services.

    The Services tool appears.
  2. In the Services list, find the HTTP SSL service.
  3. Right-click HTTP SSL and select Properties.

    The HTTP SSL Properties dialog box appears.
  4. Make sure the General tab is selected.
  5. From the Startup type drop-down list, select Automatic.

    This is to make sure the HTTP SSL service starts automatically hen the server is rebooted.
  6. Click OK.

Configure the Active Directory Authentication method on your SSL device

Now that you have issued the certificate from your CA, enabled LDAP over SSL on your AD Server, and issued the CA certificate, you can add the CA certificate to your SSL device and configure your SSL device to use Active Directory Authentication.

Add a Certificate Authority to your SSL device

If you did not import the CA certificate when you ran the Setup Wizard, you must import it to configure Active Directory Authentication.

  1. Connect to WatchGuard SSL Web UI for your device.
  2. Select Manage System > Certificates.
    The Manage Certificates page appears.
  3. In the Certificate Authorities section, click Add Certificate Authority.
    The Add Certificate Authority page appears.
  4. Make sure the Enable Certificate Authority check box is selected.
  5. In the Display Name text box, type a name for the CA certificate.
    This is the name that appears on the Manage Certificates page in the Registered Certificate Authorities list.
  6. Click Browse and select the CA certificate.
  7. In the Revocation Control section, select No certificate revocation checking should be performed.
  8. Click Finish Wizard.
    The certificate name appears in the Registered Certificate Authorities list.

Enable SSL for Active Directory Authentication services

After you add the CA certificate to your device, you add the Active Directory Authentication Method to your configuration to make a connection between your SSL device and your AD server.

When you use an Active Directory server you can choose from many authentication methods. Because users can change their passwords when they authenticate, we recommend that you use the Active Directory authentication method. With this method, the password policy settings you defined in Active Directory are enforced.

To configure Active Directory authentication:

  1. Select Manage System > Authentication.
    The Authentication page appears.

Screenshot of Manage System, Authentication

  1. Click Add Authentication Method.
    The Add Authentication Method page appears.

Screenshot of Manage System, Authentication, Add Authentication Method

  1. Select Active Directory. Click Next.
  2. Make sure the Enable authentication method check box is selected.
    If you choose to configure this method but not enable it, you can enable it at another time.

Screen shot of the Add Authentication Method page

  1. In the Display Name text box, type a name for this Active Directory Authentication method.
    This is the name that appears in the Registered Authentication Methods list.
  2. To select a different template for this method, in the Template Name text box, type the name of the template to use.
    We recommend you use the default template.
  3. To specify the AD server to use for authentication, click Add Authentication Method Server. You can specify more than one AD server.
    The Add Authentication Method Server page appears.

Screen shot of the Add Authentication Method Server page

  1. In the Host text box, type the IP address or DNS name of your AD server.
  2. To use a port other than the default port, in the Porttext box, type a new value.

    We recommend you keep the default value, 636.
  3. To use a timeout value other than the default setting, in the Timeouttext box, type a new value.

    This is the amount of time the client waits for a response from the AD server before it tries to connect with another authentication method.
  4. In the Account text box, type the user name for the administrator of the AD server. This can be a Distinguished Name or Principal Name.

    Make sure you use the correct user name form.

For example:

  1. In the Password text box, type the password for the administrator of the AD server.
  2. In the Root DN text box, type the Root DN information for the AD server where user accounts are stored.

    Make sure you use the correct Root DN form.

For example, dc=exampleADserver,dc=com

  1. Click Next.

    The Authentication Method Server appears in the Registered Authentication Method Servers list.

Screen shot of the Add Authentication Method Extended Properties page

  1. Click Next.
    The Extended Properties page appears with a default list of Registered Extended Properties. Extended properties are actions that occur when your users authenticate with this method.
  2. To add an extended property, click Add Extended Property.
    The Add Extended Property page appears.
  3. Select a Key and a Value.
    For more information about Extended Property settings, see Manage Extended Properties.
  4. Click Next.
    The Extended Property appears in the Registered Extended Properties list.
  5. Make any changes to the Registered Extended Properties list for this authentication method.
  6. Click Finish Wizard.
    The AD authentication method appears in the Registered Authentication Methods list with the Display Name you specified.
  7. Click Publish to update your configuration with this change.

If you do not enable the Active Directory authentication method, your remote users can still authenticate to the WatchGuard SSL Application Portal with their Active Directory credentials. You can create user accounts in the Local User Database and link them to their Active Directory user accounts to use the same credentials. Then you enable the WatchGuard SSL Password authentication method. When your users authenticate, WatchGuard SSL automatically queries the AD server for the user credentials. If your users change their passwords when they authenticate, the passwords are only changed in the Local User Database, not the AD server, and any policy settings you configured in the AD server are not applied.

To link users in your Local User Database to your AD server:

  1. Select User Management > User Accounts.
    The Manage All User Accounts page appears.

Screenshot of the Manage User Accounts page

  1. Click Global User Accounts Settings.
    The Manage Global User Account Settings page appears.

Screen shot of the Manage Global User Account Settings page

  1. Select User Linking.
  2. Configure the global settings for User Linking.
  3. Click Save.

Verify your SSL device is connected to your AD server

Before you can verify the connection between your AD server and your SSL device, you must first add the AD server to your SSL device as an External Directory Service location.

To add an External Directory Service location:

  1. Select User Management > External Directory Service.

    The Manage External Directory Service page appears.

Screenshot of User Management, External Directory Service

  1. Click Add External Directory Service Location.

    The Add External Directory Service Location page appears.

Screenshot of User Management, External Directory Service, Add External Directory Service location

  1. Select Microsoft Active Directory. Click Next.

    The Add External Directory Service Location page appears.

Screenshot of User Management, External Directory Services, Add Locations, configure settings

  1. Configure the settings for this External Directory Service location. Make sure the settings match those you configured for your AD Server Authentication Method.
  2. Click Next.

    The Add External Directory Service Location page appears.

Screenshot of User Management, External Directory Service, Add Location, Search Rules

  1. To add search rules for your users, click Add User Search Rule.
    The Add User Search Rule page appears.

Screenshot of User Management, External Directory Service, Add Location, User Search Rules

  1. Configure the search rule. Click Next.

    The External Directory Service Location Search Rules page appears.
  1. To add search rules for your user groups, click Add User Group Search Rule.
    The Add User Group Search Rule page appears.

Screenshot of User Management, External Directory Service, Add Location, Add User Group Search Rule

  1. Configure the search rule. Click Next.

    The External Directory Service Location Search Rules page appears.
  1. To verify the connection to your External Directory Service is active, click Test Connection.
  2. Click Finish Wizard.

    The directory service is added and appears in the Registered External Directory Service Location list.

After your AD server is added as an External Directory service location, you can test the connection between the AD server and the SSL device at any time.

  1. Select User Management > External Directory Service.

    The Manage External Directory Service page appears.
  2. In the Registered External Directory Service Locations list, select your AD server.

    The Edit External Directory Service Location page appears.
  3. Select the Search Rules tab.
  4. Click Test Connection to the External Directory Service Location.

    The SSL device tries to contact the AD server.

If your configuration is correct, a Connection test ran successfully message appears.

If the connection test fails, review the settings for your AD Server External Directory Service Location, and correct any errors in the configuration.

See also

About Other Authentication Methods

Add an Authentication Method

Manage Global User Account Settings

Give us feedback  •   All product documentation  •   Knowledge Base