Configuring MS-ADAM for SSL connectivity

For a customer project utilising the Json2Ldap web service I had to set up a simple MS Active Directory instance for testing purposes. After some preliminary research I found out that the least complicated way to do that was to get a copy of Windows XP Pro and then install MS Active Directory Application Mode (ADAM) onto it.

I work mostly under Linux (Ubuntu + Debian), so I resorted to the excellent VmWare Workstation software which enabled me to install and run Win XP Pro as a guest OS.

But why MS ADAM? Because this “lightweight” edition of Active Directory was apparently easier to setup and manage, and it didn’t require a full blown Windows Server as it could also run on Win XP Pro. Note that since 2008 MS ADAM is called Lightweight Directory Services (LDS).

The real headache of the whole setup is getting SSL connectivity to work. There is no dedicated software procedure (e.g. wizards) to enable SSL with MS-ADAM, documentation in this regard was also poor, so I had to resort to various message boards and my intuition to ultimately solve the problem.

Here are the instructions. Note that they apply to Win XP Pro, which differs somewhat from Windows Server 2003 and 2008.

  1. Download and install MS-ADAM Service Pack (SP) 1. Leave out the MUI package unless you need i18n.
  2. Start the “Create an ADAM Instance” wizard.
    • Select “unique instance”.
    • Specify a meaningful name for the directory instance, e.g. “MY-DIRECTORY”.
    • Specify a port for plain and a port for SSL connections.
    • Specify an application directory partition (DN of the directory context), e.g. “dc=example,dc=com”.
    • Confirm the ADAM file store locations.
    • Leave the default “NETWORK SERVICE” user under which to run ADAM.
    • Select an administrator for the ADAM instance.
    • Import the User.LDIF and InetOrgPerson.LDIF schemas (if you intend to store user accounts in the directory).
    • Confirm the details and let the wizard finish off the directory instance installation.
  3. Install IIS server. Why? Because it comes with a wizard which we need to go through the SSL certificate request procedure (MS-ADAM unfortunately doesn’t have this utility).
  4. Launch the Microsoft Management Console (“mmc” from the command prompt), open an Internet Information Services snap-in and go to its “Local computer” -> “Default web site” folder. Right click on it to open the “Properties” dialog.
    • Select the “Directory Security” tab.
    • Click on the “Server Certificate” button and a wizard will appear.
    • Select “Create a new certificate”.
    • Specify a meaningful name for the certificate, e.g. “ADAM SSL”.
    • Specify the details of the organisation owning the server.
    • Specify the fully qualified domain name (FQDN) of the server, e.g. ds.mydomain.com. You must get this right, otherwise SSL authentication will fail!
    • Specify additional geolocation details about the server.
    • Specify a location for the certificate request file (e.g. “C:\certreq.txt”).
  5. Process and sign the certificate request. I did this using the OpenSSL toolkit on my Linux box. The instructions are available here.
  6. Copy the resulting files iis.cer (the ready ADAM server certificate) and ca.crt (the certificate of the issuing CA) to a folder in the Windows machine.
  7. Restart the IIS “Server Certificate” wizard.
    • Select “Process the pending request and install the certificate”.
    • Specify the location of the iis.cer file.
    • Confirm the details, after which the certificate will be saved into the local computer certificate store under “Personal” -> “Certificates”.
  8. Locate the certificate in the Microsoft Management Console “Certificates (Local Computer)” snap-in under “Personal” -> “Certificates”, right-click and select “All tasks” -> “Export…”.
    • Choose the option to export the private key.
    • Confirm the suggested PKCS#12 format and deselect all other options.
    • Specify a password to lock/unlock the exported key.
    • Specify a file name and let the wizard complete the export procedure.
  9. Go to the “Certificates” snap-in for the ADAM instance and then to the “Personal” folder.
  10. Right-click on “All Tasks” -> “Import…” to start a wizard to re-import the previously exported certificate but this time into the ADAM instance store.
    • Specify the location of the certificate file.
    • Specify the password to unlock it.
    • Let the wizard complete the import procedure.
  11. Locate the certificate in the “Personal” -> “Certificates” folder, right-click, select “Properties” and make sure the certificate is enabled for “Server Authentication” only.
  12. Locate the most recently added file in the “C:\Documents and Settings\All Users\Application Data\Microsoft\Crypto\RSA\MachineKeys” folder and make sure the ADAM instance can access it by adding “SERVICE” to its read permission list. This file contains the private key for the server SSL certificate.
  13. Go to the certificate store for “Local computer” and right-click on the “Trusted Root Certification Authorities” folder.
    • Click on “All tasks” -> “Import…”
    • Locate the CA certificate file ca.crt.
    • Confirm and let the wizard import it into the main certificate store of the local computer. The CA certificate is required to validate the originality of the server certificate.
  14. Restart the ADAM instance from the Admin Console and voilá!