Configure Microsoft Active Directory for secure LDAPS communication Use certificate pairs to enable Microsoft Active Directory (AD) LDAPS communications. Note: These procedures were designed and tested using Windows 2003 R2 Standard Edition and work with all versions of Windows 2003. Secure LDAP (LDAPS) communication is similar to SSL (HTTPS) communication in that both encrypt the data between servers and clients. To accomplish this, the server and clients share common information by using certificate pairs. The server holds the private key certificate and the clients hold the public key certificate. These certificates are required to enable Microsoft Active Directory (AD) LDAPS communications. To configure LDAPS for Active Directory you must: Ensure that the Active Directory domain is set up and that the instance is able to connect to the Active Directory server through the firewall. Verify that there is a Certificate Authority (CA) that can issue a certificate for the domain controller (DC). If you don't already have a CA infrastructure there are two options. Setup a stand-alone CA to issue the certificate Request a third party certificate If you already have a CA in place, you can generate a certificate from an internal CA. All certificates have a defined expiration date which can be viewed in the certificate properties. If the certificate expires, all LDAPS traffic fails, and your users can no longer log into the instance. To resolve this, a new certificate must be issued and installed on your instance. The default expiration for Microsoft CA certificates is one year. External CA certificates are usually purchased in one year increments. Note when your certificate expires, or use the application's Expiration Notification function (located in System LDAP > Certificates). Ensure that you have a new certificate ready before the old one expires. This gives you time to install and test the new certificate before the old one expires. Set up a stand-alone certificate authorityThe first step to configure Microsoft Active Directory for SSL access is to set up a stand-alone Certificate Authority (CA).Generate a certificate from an internal certificate authorityWhen you configure Microsoft Active Directory for SSL access, you must generate an internal certificate and request the external certificate.Test the LDAPS Connectivity LocallyWhen you configure Microsoft Active Directory for SSL access, you must test the DLAPS connectivity after installing the internal and third party certificates.Export the public key certificate to trust the LDAP certificateWhen you configure Microsoft Active Directory for SSL access, you must export the public key certificate and import it into the application.