Skip to main content
Version: 3.7.x.x LTS

LDAP authentication with Microsoft Active Directory

User authentication against a Microsoft Active Directory (AD) is performed in two steps:

  • Bind with a technical user and locate the user's distinguished name (DN) with a tree search, searching for the "sAMAccountName" attribute from the configured userBaseDN.
  • Bind against the AD using the resulting DN and the password entered by the user.

The figure below shows the parameters needed to perform a user authentication against an AD server. You find them in the Environment Variables panel in the view of the relevant environment (Configuration tab). No.1 in the figure shows the distinguished name of the technical user, no.2 displays the base DN to search for the user, and no.3 represents the passphrase of the user, which has been obfuscated with the nevisAuth encSecret command.

Realm parameters to access the active directory server*
info

You may use the configuration template "MS Exchange using dynamic certificates" to configure this use case. For more information, see the chapter: MS Exchange using dynamic certificates.

Dynamic certificates

The dynamic certificate authentication system implemented in nevisProxy and nevisAuth requires the creation of a Certification Authority (CA). This CA is used by nevisAuth to create certificates for each authenticated user. The certificate used by nevisAuth must be installed in the Exchange server hosting the Internet Information Service (IIS).

2-Way SSL using dynamic certificates

The table below shows how to create a new CA on the command line interface of the server hosting nevisAdmin. This example creates a new slot called "auth". The commands will prompt you to enter a passphrase to protect the key material.

Sample to create a dynamic certificate signer
# neviskeybox cacreate -ca "BoxDynCA
# neviskeybox import -slot auth -label dynCertSigner \
-file /var/opt/neviskeybox/default/NevisBoxDynCA/ca_key.pem
# neviskeybox import -slot auth -label dynCertSigner \
-file /var/opt/neviskeybox/default/NevisBoxDynCA/ca_cert.pem -own
# neviskeybox passwd -slot auth -label dynCertSigner -keep
# neviskeybox access -slot auth -label dynCertSigner -user nvauser -group nvbgroup

You can now import this nevisKeybox slot called "auth" to all servers hosting the involved nevisAuth instances as described in the chapter: Import key material, and set it to the nevisAuth instance to be used as the dynamic certificate signer.

Define the dynamic certificate signer keystore

The file /var/opt/neviskeybox/default/auth/dynCertSigner_certificate.pem contains the certificate to be installed on the IIS server.

Import the certificate used to issue the dynamic client certificates

The CA certificate must be configured on the domain controller to be trusted for the Active Directory and integrated for the authentication purposes in this domain. To do this, copy the CA certificate to the domain controller and issue the following command.

Example to register the CA certificate for user authentication
certutil -dspublish -f dynCertSigner_certificate.pem NTAuthCA

You may verify the settings within the Windows management console.

NTAuthCertificates within the MMC

On the IIS server, the SSL settings must either be set to "require" or "accept", see the figure below. Ensure you enable the initial client certificate negotiation as described in the chapter: IIS - Initial Client Certificate Negotiation, in case you don't set the "require" option globally.

IIS SSL settings

In addition, the "Client Certificate Mapping Authentication" must be enabled globally via the UI.

Authentication settings

To ensure, that the "Client Certificate Mapping Authentication" feature is enabled for all applications, we recommend doing this by the following commands as shown in the code block below.

Enable Client Certificate Mapping Authentication
# cd c:\windows\system32\inetsrv
appcmd unlock config /section:clientCertificateMappingAuthentication
appcmd set config "Default Web Site/owa" -section:clientCertificateMappingAuthentication /enabled:true
appcmd set config "Default Web Site/Microsoft-Server-ActiveSync" -section:clientCertificateMappingAuthentication /enabled:true
appcmd set config "Default Web Site/ecp" -section:clientCertificateMappingAuthentication /enabled:true
appcmd set config "Default Web Site/ews" -section:clientCertificateMappingAuthentication /enabled:true
appcmd set config "Default Web Site/autodiscover" -section:clientCertificateMappingAuthentication /enabled:true
appcmd set config "Default Web Site/oab" -section:clientCertificateMappingAuthentication /enabled:true
appcmd set config "Default Web Site/rpc" -section:clientCertificateMappingAuthentication /enabled:true

In the view of the application's mapping (Configuration tab), specify the following settings (see the figure: Enable dyncert and lock client session, below:

  • Lock the TCP keep-alive of the back-end connections to the client session, by going to the Settings panel and selecting "on" in the Lock keep-alive to client session field.
  • Enable the usage of dynamic certificates ("SSLDynamicClientCertificate"), by going to the Custom Init-Param Settings panel, and entering "SSLDynamicClientCertificate" in the Name field and "true" in the corresponding Value field.
Enable dyncert and lock client session:
Enable dyncert and lock client session

IIS - Initial Client Certificate Negotiation

Enable initial client certificate negotiation for your Microsoft Internet Information Services (IIS). If the client certificate negotiation property is enabled, each time a new SSL connection is negotiated, the server will immediately negotiate a client certificate, preventing the server response 413 for large POST requests.

Initial client certificate negotiation may be enabled on two different ways:

  • For IIS 6 servers, respectively IIS servers with installed IIS compatibility libraries and tools, the SSLAlwaysNegoClientCert flag can be set by the following command:

    Enable the SSLAlwaysNegoClientCert flag
    cscript adsutil.vbs set w3svc/1/SSLAlwaysNegoClientCert true
  • For IIS 7 and above architectures, the Negotiate Client Certificate parameter within the "sslcert" object must be set to "Enabled". This can be done using the "netsh http add sslcert" command. The "netsh http" command does not offer a "modify" option, but you may use the "show", "delete", and "add" commands to apply configuration changes.

    To enable the Negotiate Client Certificate parameter, first get the current settings. Afterwards you remove them and re-create the context again using the same parameters, but this time enabling the Negotiate Client Certificate parameter.

netsh http command example
C:\> netsh htt show sslcert

## SSL Certificate bindings:

IP:port : 0.0.0.0:443
Certificate Hash : d658d1aa7e529e9ef66c902780d2acbad51a676d
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Enabled
Negotiate Client Certificate : Disabled

C:\> netsh http delete sslcert ipport=0.0.0.0:443

SSL Certificate successfully deleted

C:\> netsh http add sslcert ipport=0.0.0.0:443
certhash=d658d1aa7e529e9ef66c902780d2acbad51a676d
appid="{4dc3e181-e14b-4a21-b022-59fc669b0914}" certstorename=My
verifyclientcertrevocation=enable
verifyrevocationwithcachedclientcertonly=disable
usagecheck=enable
dsmapperusage=enable
clientcertnegotiation=enable

SSL Certificate successfully added

C:\> netsh htt show sslcert

## SSL Certificate bindings:

IP:port : 0.0.0.0:443
Certificate Hash : d658d1aa7e529e9ef66c902780d2acbad51a676d
Application ID : {4dc3e181-e14b-4a21-b022-59fc669b0914}
Certificate Store Name : My
Verify Client Certificate Revocation : Enabled
Verify Revocation Using Cached Client Certificate Only : Disabled
Usage Check : Enabled
Revocation Freshness Time : 0
URL Retrieval Timeout : 0
Ctl Identifier : (null)
Ctl Store Name : (null)
DS Mapper Usage : Enabled
Negotiate Client Certificate : Enabled