Enable LDAPS Support on Azure Active Directory
- Enable password hash synchronization for cloud-only users and/or on-prem user accounts.
- Obtain a customer secure LDAP certificate in CRT or PEM format. You will need this information to Configure Cloud Connector to use LDAPS. Use one of the options in the following section.
Obtain a Certificate for Secure LDAP
Option A (Recommended) - Obtain a Certificate from a Certification Authority
Obtain a secure LDAP certificate from a certification authority with the following requirements.
- Trusted issuer. The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. This authority may be a public certification authority (CA) or an Enterprise CA trusted by these computers.
- Lifetime. The certificate must be valid for at least the next 3-6 months. Secure LDAP access to your managed domain is disrupted when the certificate expires.
- Subject name. The subject name on the certificate must be a wildcard for your managed domain. For instance, if your domain is named contoso100.com, the certificate's subject name must be *.contoso100.com. Set the DNS name (subject alternate name) to this wildcard name.
- Key usage. The certificate must be configured for the following uses: digital signatures and key encipherment.
- Certificate purpose. The certificate must be valid for SSL server authentication.
Option B - Create a Self-Signed Certificate
To create a self-signed certificate for LDAP:
- Open a new PowerShell window as Administrator and enter the following commands:
New-SelfSignedCertificate -Subject contoso100.com `
-NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `
-Type SSLServerAuthentication -DnsName *.contoso100.com
- In the preceding sample, replace contoso100.com with the DNS domain name of your managed domain. For example, if you created a managed domain called contoso100.onmicrosoft.com:
- In the Subject attribute, replace contoso100.com with contoso100.onmicrosoft.com.
- In the DnsName attribute, replace contoso100.com with .contoso100.onmicrosoft.com.
Export the Secure LDAP Certificate
- To open the Windows MMC snap-in, navigate to Start > Run > mmc.
- From the File menu, click Add/Remove Snap-in...
- In the Add or Remove Snap-ins dialog, select the Certificates snap-in, and click Add.
- In the Certificates Snap-in wizard, select Computer account and click Next.
- On the Select Computer page, select Local computer (the computer this console is running on) and click Finish.
- In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
- In the MMC window, click to expand Console Root. You should see the Certificates snap-in loaded. Click Certificates (Local Computer) to expand. Click to expand the Personal node, followed by the Certificates node.
- You should see the self-signed certificate you created. You can examine the properties of the certificate to verify that the thumbprint matches the one reported on the PowerShell windows when you created the certificate.
- Select the self-signed certificate and right-click. From the right-click menu, select All Tasks and select Export...
- In the Certificate Export Wizard, click Next.
- On the Export Private Key page, select Yes, export the private key, and click Next.
- On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate.
- Repeat steps 7–10, select No, do not export the private key, and this certificate will be sent to Skyhigh CASB for the Cloud Connector.
- On the Security page, select the Password option and enter a password to protect the PFX file. Remember this password, as you will need it in the next task. Click Next.
- On the File to Export page, specify the file name and location where you'd like to export the certificate.
- On the following page, click Finish to export the certificate to a PFX file. You will see a confirmation dialog when the certificate has been exported.
Enable LDAPS for an Azure AD Domain Services Managed Domain
- Navigate to the Azure portal.
- In the Search resources search box, search for domain services.
- Select Azure AD Domain Services from the search result. The Azure AD Domain Services page lists your managed domain.
- Click the name of the managed domain (for example, contoso100.com) to see more details about the domain.
- On the navigation pane, click Secure LDAP.
- Toggle Secure LDAP to Enable. By default, secure LDAP access to your managed domain is disabled. It can take up to 15 minutes to enable LDAPS for the domain.
- Toggle Allow secure LDAP access over the internet to Enable.