Anavem
EnglishFrancais
Anavem
Languagefr
How to Configure LDAPS Protocol in Active Directory 2026

How to Configure LDAPS Protocol in Active Directory 2026

Configure LDAPS (LDAP over SSL) in Active Directory to secure domain controller connections using SSL certificates on port 636. Complete setup with certificate enrollment and verification.

Evan MaelEvan Mael
March 17, 2026 18 min
mediumldaps 8 steps 18 min

Why Configure LDAPS in Active Directory?

LDAPS (LDAP over SSL/TLS) encrypts all communication between clients and Active Directory domain controllers, protecting sensitive authentication data and directory queries from network eavesdropping. While standard LDAP operates on port 389 in plain text, LDAPS uses port 636 with SSL/TLS encryption.

In 2026, LDAPS remains the standard method for securing Active Directory connections, especially critical for applications that authenticate against AD over untrusted networks. Many compliance frameworks like SOX, HIPAA, and PCI-DSS require encrypted authentication protocols.

What Certificate Requirements Does LDAPS Have?

LDAPS requires a valid SSL certificate installed on each domain controller. The certificate must include the domain controller's fully qualified domain name (FQDN) in either the subject field or Subject Alternative Name (SAN) extension. You can use certificates from an internal Certificate Authority (recommended for domain-joined environments) or third-party CAs like Let's Encrypt.

The certificate must support server authentication (Enhanced Key Usage OID 1.3.6.1.5.5.7.3.1) and be trusted by all clients connecting via LDAPS. For load-balanced environments, ensure certificates include all relevant DNS names in the SAN field.

How Does LDAPS Integration Work with Applications?

Once configured, applications can connect to Active Directory using LDAPS by specifying port 636 and enabling SSL in their LDAP connection strings. Popular applications like web servers, email systems, and custom applications benefit from LDAPS encryption without requiring code changes—just connection string modifications.

This tutorial walks you through the complete LDAPS setup process: installing Active Directory Certificate Services, creating certificate templates, enrolling certificates on domain controllers, and thoroughly testing the configuration. You'll also learn troubleshooting techniques for common LDAPS issues.

Implementation Guide

Full Procedure

01

Install Active Directory Certificate Services

First, we need to install AD CS to create our internal certificate authority. This will allow us to issue SSL certificates for LDAPS.

Open Server Manager and click Add Roles and Features. Select Role-based or feature-based installation and choose your server from the pool.

On the Server Roles page, check Active Directory Certificate Services:

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

After installation, you'll see a notification flag in Server Manager. Click it and select Configure Active Directory Certificate Services on the destination server.

In the configuration wizard:

  • Use current domain administrator credentials
  • Check Certificate Authority on the Role Services page
  • Select Enterprise CA (not Standalone)
  • Choose Root CA if this is your first CA
  • Create a new private key with default settings
Pro tip: Enterprise CA integrates with Active Directory and automatically publishes certificates to the directory, making management much easier than Standalone CA.

Verification: Open certsrv.msc and confirm the Certificate Authority console opens without errors.

02

Create LDAPS Certificate Template

Now we'll create a certificate template specifically for LDAPS. This ensures our certificates have the correct properties for domain controller authentication.

Open the Certificate Authority console (certsrv.msc) and expand your CA. Right-click Certificate Templates and select Manage.

In the Certificate Templates Console:

  1. Right-click the Computer template and select Duplicate Template
  2. On the General tab, set Template display name to LDAPS Template
  3. Set validity period to 2 years (or your organization's policy)
  4. On the Request Handling tab, check Allow private key to be exported
  5. On the Subject Name tab, select Supply in the request
  6. On the Security tab, add Domain Controllers group with Read and Enroll permissions

Click OK to create the template.

Back in the CA console, right-click Certificate Templates, select New > Certificate Template to Issue, and choose your LDAPS Template.

Warning: Don't skip the Security tab configuration. Without proper permissions, domain controllers won't be able to request certificates automatically.

Verification: The LDAPS Template should appear in the Certificate Templates folder of your CA.

03

Request and Enroll LDAPS Certificate on Domain Controller

On each domain controller, we need to request and install an LDAPS certificate. The certificate must include the DC's FQDN in the subject or SAN field.

On the domain controller, open the Microsoft Management Console:

mmc.exe

Add the Certificates snap-in:

  1. File > Add/Remove Snap-in
  2. Select Certificates and click Add
  3. Choose Computer account and Local computer
  4. Click Finish and OK

Navigate to Certificates (Local Computer) > Personal > Certificates. Right-click Certificates and select All Tasks > Request New Certificate.

In the Certificate Enrollment wizard:

  1. Click Next twice to reach the certificate selection page
  2. Check the box for LDAPS Template
  3. Click More information is required link
  4. In Subject tab, set Type to Common name and Value to your DC's FQDN (e.g., dc01.contoso.com)
  5. In Alternative name tab, set Type to DNS and Value to the same FQDN
  6. Click OK and then Enroll
Pro tip: Always use the fully qualified domain name (FQDN) in certificates. Short names or IP addresses will cause SSL validation failures.

Verification: Check that a new certificate appears in the Personal > Certificates store with your DC's FQDN as the subject.

04

Reload Active Directory SSL Certificate

After installing the certificate, Active Directory needs to reload its SSL configuration to start using the new certificate for LDAPS connections.

The cleanest method is to restart the domain controller, but you can also reload the certificate without downtime using PowerShell:

# Stop and start the Active Directory Domain Services
Stop-Service NTDS -Force
Start-Service NTDS

Alternatively, you can restart just the relevant services:

# Restart services that handle LDAP/LDAPS
Restart-Service NTDS -Force
Restart-Service DNS -Force

For a production environment, the safest approach is a scheduled reboot:

shutdown /r /t 300 /c "Reboot for LDAPS certificate activation"
Warning: Stopping NTDS will temporarily make the domain controller unavailable. Plan this during a maintenance window or ensure you have other DCs available.

After the restart, check the System event log for any certificate-related errors:

Get-EventLog -LogName System -Source "NTDS General" -Newest 10

Verification: Look for Event ID 1220 in the Directory Service log, which indicates LDAPS is successfully enabled.

05

Test LDAPS Connection Using Ldp.exe

Now we'll verify that LDAPS is working correctly using the built-in LDAP administration tool. This is the most reliable way to test LDAPS connectivity.

Open the LDAP administration tool:

ldp.exe

In Ldp.exe:

  1. Click Connection > Connect
  2. Enter your domain controller's FQDN (e.g., dc01.contoso.com)
  3. Set Port to 636
  4. Check SSL checkbox
  5. Click OK

If successful, you'll see RootDSE information displayed in the right pane, similar to:

ld = ldap_sslinit("dc01.contoso.com", 636, 1);
ldap_set_option(ld,LDAP_OPT_PROTOCOL_VERSION,3);
Connected to dc01.contoso.com.
The connection is established.

Next, authenticate the connection:

  1. Click Connection > Bind
  2. Leave Domain, User, and Password blank for anonymous bind, or enter credentials
  3. Click OK

You can also test from command line using PowerShell:

# Test LDAPS connectivity
$ldapConnection = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://dc01.contoso.com:636")
try {
    $ldapConnection.RefreshCache()
    Write-Host "LDAPS connection successful" -ForegroundColor Green
} catch {
    Write-Host "LDAPS connection failed: $($_.Exception.Message)" -ForegroundColor Red
}
Pro tip: If you get certificate errors, check that the certificate's subject name exactly matches the FQDN you're connecting to. Case sensitivity matters!

Verification: Successful connection shows RootDSE data and no SSL/TLS errors in the Ldp.exe output window.

06

Test LDAPS with OpenSSL and Certificate Validation

For comprehensive testing, especially in mixed environments, use OpenSSL to validate the certificate chain and encryption strength.

From a Linux machine or Windows with OpenSSL installed:

# Test LDAPS connection and view certificate details
openssl s_client -connect dc01.contoso.com:636 -showcerts

This command will show:

  • Certificate chain validation
  • Cipher suite being used
  • Certificate expiration dates
  • Any certificate warnings or errors

For automated testing, create a simple script:

#!/bin/bash
DC_FQDN="dc01.contoso.com"
echo "Testing LDAPS on $DC_FQDN..."

# Test connection
echo "" | openssl s_client -connect $DC_FQDN:636 2>/dev/null
if [ $? -eq 0 ]; then
    echo "LDAPS connection successful"
else
    echo "LDAPS connection failed"
fi

# Check certificate expiration
echo "" | openssl s_client -connect $DC_FQDN:636 2>/dev/null | openssl x509 -noout -dates

You can also test from Windows PowerShell using .NET classes:

# Advanced LDAPS testing with certificate validation
$ldapServer = "dc01.contoso.com"
$ldapPort = 636

try {
    $tcpClient = New-Object System.Net.Sockets.TcpClient($ldapServer, $ldapPort)
    $sslStream = New-Object System.Net.Security.SslStream($tcpClient.GetStream())
    $sslStream.AuthenticateAsClient($ldapServer)
    
    Write-Host "LDAPS connection established" -ForegroundColor Green
    Write-Host "SSL Protocol: $($sslStream.SslProtocol)" -ForegroundColor Yellow
    Write-Host "Cipher Algorithm: $($sslStream.CipherAlgorithm)" -ForegroundColor Yellow
    Write-Host "Is Encrypted: $($sslStream.IsEncrypted)" -ForegroundColor Yellow
    
    $sslStream.Close()
    $tcpClient.Close()
} catch {
    Write-Host "LDAPS test failed: $($_.Exception.Message)" -ForegroundColor Red
}
Warning: If testing from non-domain-joined machines, you may need to install your internal CA certificate in the trusted root store, or you'll get certificate validation errors.

Verification: OpenSSL should show "Verify return code: 0 (ok)" and display the complete certificate chain without errors.

07

Configure LDAPS for Multiple Domain Controllers

In a multi-DC environment, each domain controller needs its own LDAPS certificate. Here's how to efficiently deploy certificates across all DCs.

First, create a PowerShell script to automate certificate requests on all DCs:

# Get all domain controllers
$DomainControllers = Get-ADDomainController -Filter *

foreach ($DC in $DomainControllers) {
    $DCName = $DC.HostName
    Write-Host "Processing DC: $DCName" -ForegroundColor Green
    
    # Create remote session
    $Session = New-PSSession -ComputerName $DCName
    
    # Request certificate on remote DC
    Invoke-Command -Session $Session -ScriptBlock {
        # Request certificate using certreq
        $RequestFile = "C:\temp\ldaps_request.inf"
        $CertFile = "C:\temp\ldaps_cert.cer"
        
        # Create certificate request file
        @"
[NewRequest]
Subject = "CN=$env:COMPUTERNAME.$env:USERDNSDOMAIN"
KeyLength = 2048
KeyAlgorithm = RSA
MachineKeySet = TRUE
RequestType = PKCS10

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication
"@ | Out-File -FilePath $RequestFile -Encoding ASCII
        
        # Submit request
        certreq -submit -config "CA01\Contoso-CA" $RequestFile $CertFile
        
        # Install certificate
        if (Test-Path $CertFile) {
            certreq -accept $CertFile
            Write-Host "Certificate installed on $env:COMPUTERNAME"
        }
    }
    
    Remove-PSSession $Session
}

For load-balanced environments, ensure certificates include all necessary DNS names:

# Certificate request with multiple DNS names
$RequestTemplate = @"
[NewRequest]
Subject = "CN=ldap.contoso.com"
KeyLength = 2048
KeyAlgorithm = RSA
MachineKeySet = TRUE
RequestType = PKCS10

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=ldap.contoso.com&"
_continue_ = "dns=dc01.contoso.com&"
_continue_ = "dns=dc02.contoso.com&"
"@

After deploying certificates, restart the NTDS service on all DCs:

# Restart NTDS on all domain controllers
$DomainControllers = Get-ADDomainController -Filter *
foreach ($DC in $DomainControllers) {
    Write-Host "Restarting NTDS on $($DC.HostName)" -ForegroundColor Yellow
    Invoke-Command -ComputerName $DC.HostName -ScriptBlock {
        Restart-Service NTDS -Force
    }
}
Pro tip: Use Group Policy to automatically enroll certificates on domain controllers. Create a GPO that targets the Domain Controllers OU and configure automatic certificate enrollment.

Verification: Test LDAPS connectivity to each domain controller using the Ldp.exe method from Step 5, or run this verification script:

# Test LDAPS on all DCs
foreach ($DC in $DomainControllers) {
    try {
        $ldap = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://$($DC.HostName):636")
        $ldap.RefreshCache()
        Write-Host "✓ LDAPS working on $($DC.HostName)" -ForegroundColor Green
    } catch {
        Write-Host "✗ LDAPS failed on $($DC.HostName): $($_.Exception.Message)" -ForegroundColor Red
    }
}
08

Troubleshoot Common LDAPS Issues

Even with proper configuration, LDAPS can have issues. Here are the most common problems and their solutions.

Certificate Validation Errors

If clients get certificate validation errors, check the certificate properties:

# Check certificate details
Get-ChildItem -Path Cert:\LocalMachine\My | Where-Object {$_.Subject -like "*$env:COMPUTERNAME*"} | Format-List Subject, Issuer, NotAfter, Extensions

Common certificate issues:

  • Subject name mismatch: Certificate CN must match the FQDN used to connect
  • Expired certificate: Check NotAfter date
  • Untrusted CA: Install your internal CA certificate on client machines

LDAP Signing Requirements

Windows may require LDAP signing, causing "Strong Authentication Required" errors. Check the current setting:

# Check LDAP signing requirements
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity"

Values: 0 = None, 1 = Negotiate signing, 2 = Require signing

To modify LDAP signing requirements:

# Set LDAP signing to negotiate (recommended)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\NTDS\Parameters" -Name "LDAPServerIntegrity" -Value 1
Restart-Service NTDS -Force

Port and Firewall Issues

Verify LDAPS is listening on port 636:

netstat -an | findstr :636

Check Windows Firewall rules:

# Check if LDAPS port is allowed
Get-NetFirewallRule -DisplayName "*LDAP*" | Get-NetFirewallPortFilter

Create firewall rule if needed:

# Allow LDAPS through firewall
New-NetFirewallRule -DisplayName "LDAPS-In" -Direction Inbound -Protocol TCP -LocalPort 636 -Action Allow

Event Log Analysis

Check for LDAPS-related errors in event logs:

# Check for certificate and LDAPS errors
Get-WinEvent -FilterHashtable @{LogName='System'; ID=1220,1221,1222} -MaxEvents 10
Get-WinEvent -FilterHashtable @{LogName='Directory Service'; ID=1220,1221} -MaxEvents 10
Warning: Never disable certificate validation in production. If you're getting certificate errors, fix the certificate rather than bypassing validation.

Verification: Use the comprehensive test script to validate all aspects of your LDAPS configuration:

# Comprehensive LDAPS health check
function Test-LDAPS {
    param([string]$DomainController)
    
    Write-Host "Testing LDAPS on $DomainController" -ForegroundColor Cyan
    
    # Test port connectivity
    $portTest = Test-NetConnection -ComputerName $DomainController -Port 636 -WarningAction SilentlyContinue
    if ($portTest.TcpTestSucceeded) {
        Write-Host "✓ Port 636 is accessible" -ForegroundColor Green
    } else {
        Write-Host "✗ Port 636 is not accessible" -ForegroundColor Red
        return
    }
    
    # Test LDAPS connection
    try {
        $ldap = New-Object System.DirectoryServices.DirectoryEntry("LDAPS://$DomainController:636")
        $ldap.RefreshCache()
        Write-Host "✓ LDAPS connection successful" -ForegroundColor Green
    } catch {
        Write-Host "✗ LDAPS connection failed: $($_.Exception.Message)" -ForegroundColor Red
    }
}

# Test all domain controllers
Get-ADDomainController -Filter * | ForEach-Object { Test-LDAPS -DomainController $_.HostName }

Frequently Asked Questions

What is the difference between LDAP and LDAPS in Active Directory?+
LDAP operates on port 389 and transmits data in plain text, making it vulnerable to network sniffing. LDAPS uses port 636 with SSL/TLS encryption to secure all communication between clients and domain controllers. LDAPS provides the same functionality as LDAP but with encrypted authentication and data transfer, essential for compliance and security in production environments.
Can I use Let's Encrypt certificates for LDAPS in Active Directory?+
Yes, you can use Let's Encrypt certificates for LDAPS, but it requires additional configuration. The certificate must include your domain controller's FQDN, and you'll need to automate certificate renewal since Let's Encrypt certificates expire every 90 days. However, internal Certificate Authority certificates are typically preferred for domain environments as they integrate better with Windows certificate management and don't require internet connectivity for validation.
Why does LDAPS connection fail with certificate validation errors?+
Certificate validation errors usually occur when the certificate's subject name doesn't match the FQDN used to connect, the certificate has expired, or the issuing Certificate Authority isn't trusted by the client. Ensure your certificate's Common Name or Subject Alternative Name exactly matches the domain controller's FQDN, verify the certificate hasn't expired, and install your internal CA certificate in the client's trusted root store if using an internal CA.
Do I need to configure LDAPS on every domain controller separately?+
Yes, each domain controller requires its own LDAPS certificate since certificates are machine-specific and contain the individual DC's FQDN. However, you can automate the process using PowerShell scripts or Group Policy auto-enrollment. In load-balanced environments, you might use certificates with multiple DNS names in the Subject Alternative Name field, but each DC still needs its own certificate installed locally.
How do I troubleshoot LDAPS port 636 connection timeouts?+
Connection timeouts on port 636 typically indicate firewall blocking, the LDAPS service not running, or certificate issues preventing SSL handshake. First, verify port 636 is listening using 'netstat -an | findstr :636'. Check Windows Firewall rules allow inbound connections on port 636. Examine the Directory Service event log for certificate errors (Event IDs 1220-1222). Test connectivity using 'Test-NetConnection -ComputerName DC01 -Port 636' and validate certificates using OpenSSL or Ldp.exe.
Evan Mael
Written by

Evan Mael

Microsoft MCSA-certified Cloud Architect | Fortinet-focused. I modernize cloud, hybrid & on-prem infrastructure for reliability, security, performance and cost control - sharing field-tested ops & troubleshooting.

Tags
#ldaps#active-directory#ssl-certificates

Further Intelligence

Deepen your knowledge with related resources

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It
tutorial
Windows

How to Get Windows 11 26H1: What It Is, Who It's For, and How to Install It

Deep Dive
How to Deploy Network Locations via Group Policy in Windows Server 2025
tutorial
Networking

How to Deploy Network Locations via Group Policy in Windows Server 2025

Deep Dive
How to Configure Default Inbound Action for Public Profile in Windows Defender
tutorial
Cybersecurity

How to Configure Default Inbound Action for Public Profile in Windows Defender

Deep Dive

Discussion

Share your thoughts and insights

Sign in to join the discussion

Sign inCreate account