Hello there!

Need Help? We are right here!

support
miniOrange Email Support
success

Thanks for your inquiry.

If you dont hear from us within 24 hours, please feel free to send a follow up email to info@xecurify.com

Steps to connect Azure Active Directory over LDAPS

A guide outlining the steps to configure an miniOrange IDP to connect to Azure Active Directory.

Overview

Azure Active Directory (Azure AD) is Microsoft’s cloud-based identity and access management service, which helps your employees sign in and access resources. miniOrange provides a solution where existing identities in Azure AD can be leverage for Single Sign-On into different cloud and on-premise applications. Azure Active Directory supports standard authentication and authorization protocols such as LDAPS, SAML 2.0 and OAUTH 2.0.

How does Azure AD over LDAPS work?


Azure AD Create Resource

Popular Use-Cases

SSO into different VPN application.

Employees of organization are able to log into a VPN that supports Radius (OpenVPN, Fortinet, Palo Alto, etc) using their Azure Active Directory Credentials

Two Factor Authentication.

Two factor authentication is used to log in into various application using your Active Directory Credentials as the first factor and and OTP as a second factor on the Application Side.

SSO into Office 365 Applications using Azure Active Directory Credentials

Here Azure Active directory acts as an Identity Provider to Single Sign on into different Office 365 Applications where miniOrange IdP acts as a broker.

Follow the Step-by-Step Guide given below for configuring Secure LDAP Connection between Azure Active Directory and miniOrange User Store.


Step 1: Create and configure an Azure Active Directory Domain Services instance (Skip this if you have already configured a AADDS instance for a subscription).

  • Prerequisites

    • An active Azure subscription.
    • You need global administrator privileges in your Azure AD tenant to enable Azure AD DS.
    • You need Contributor privileges in your Azure subscription to create the required Azure AD DS resources.

    1.1 Create an instance and configure basic settings

    • In the upper left-hand corner of the Azure portal, select + Create a resource.
    • Enter Domain Services into the search bar, then choose Azure AD Domain Services from the search suggestions.
    • Azure AD Create Resource

    • On the Azure AD Domain Services page, select Create. The Enable Azure AD Domain Services wizard is launched.
    • Azure AD Create Domain Service

    • Complete the fields in the Basics window of the Azure portal to create an Azure AD DS instance:
      • Enter a DNS domain name for your managed domain, taking into consideration the previous points.
      • Select the Azure Subscription in which you would like to create the managed domain.
      • Select the Resource group to which the managed domain should belong. Choose to Create new or select an existing resource group.
      • Choose the Azure Location in which the managed domain should be created.
      • Click OK to move on to the Network section.
  • 1.2 Create and configure the virtual network

    • Complete the fields in the Network window as follows:
      • On the Network window, choose Select virtual network.
      • For this tutorial, choose to Create new virtual network to deploy Azure AD DS into.
      • Enter a name for the virtual network, such as myVnet, then provide an address range, such as 10.1.0.0/16.
      • Create a dedicated subnet with a clear name, such as DomainServices. Provide an address range, such as 10.1.0.0/24.
    • With the virtual network and subnet created, the subnet should be automatically selected, such as DomainServices. You can instead choose an alternate existing subnet that's part of the selected virtual network.
    • Select OK to confirm the virtual network configuration.
  • 1.3 Configure an administrative group

    • The wizard automatically creates the AAD DC Administrators group in your Azure AD directory. If you have an existing group with this name in your Azure AD directory, the wizard selects this group. You can optionally choose to add additional users to this AAD DC Administrators group during the deployment process.

      NOTE: We have included members in the administrator group further ahead in this document.
  • 1.4 Configure Synchronization

    • Azure AD DS lets you synchronize all users and groups available in Azure AD, or a scoped synchronization of only specific groups.
    • Select the scope and then click OK.

      NOTE:Scope cannot be changed later. If the need arises, then creation of new domain will be required.
  • 1.5 Deploy your managed domain

    • On the Summary page of the wizard, review the configuration settings for the managed domain. You can go back to any step of the wizard to make changes
    • To create the managed domain, select OK.
    • The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Azure AD DS deployment. Select the notification to see detailed progress for the deployment.
    • When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.

    • NOTE: During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.

Step 2: Creation and delegation of certificates for secure LDAP

  • 2.1 Create a Self-Signed Certificate

    • To use Secure LDAP, a digital certificate is used to encrypt the communication. This digital certificate is applied to your Azure AD DS managed domain.
    • Open a PowerShell window as Administrator and run the following commands.

      NOTE: Replace the $dnsName variable with the DNS name used by your own managed domain, such as exampledomain.com. This domain shoud be same as your ADDS managed domain.
  • 2.2 Export a certificate for Azure AD DS

    • Before you can use the digital certificate created in the previous step with your Azure AD DS managed domain, export the certificate to a .PFX certificate file that includes the private key.

    • To open the Run dialog, select the Windows and R keys.
    • Open the Microsoft Management Console (MMC) by entering MMC in the Run dialog, then select OK.
    • On the User Account Control prompt, click Yes to launch MMC as administrator.
    • From the File menu, click Add/Remove Snap-in…
    • In the Certificates snap-in wizard, choose Computer account, then select >Next
    • On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.
    • In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
    • In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.
    • Windows Certificate

    • The self-signed certificate created in the previous step is shown, such as exampledomain.com. Right-select this certificate, then choose All Tasks > Export…
    • Windows Certificate Export

    • In the Certificate Export Wizard, select Next.
    • The Private key for the certificate must be exported. If the private key is not included in the exported certificate, the action to enable secure LDAP for your managed domain fails.
      On the Export Private Key page, choose Yes, export the private key, then select Next.
    • Windows Certificate Export with Private key

    • Azure AD DS managed domains only support the .PFX certificate file format that includes the private key. Don't export the certificate as .CER certificate file format without the private key.
    • On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate. Check the box for Include all certificates in the certification path if possible and click next.
    • Windows Personal Information Exchange

    • On the Security page, choose the option for Password to protect the .PFX certificate file. Enter and confirm a password, then select Next. This password is used in the next section to enable secure LDAP for your Azure AD DS managed domain.
    • Windows Password for certificate

    • On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds.pfx.
    • On the review page, select Finish to export the certificate to a .PFX certificate file. A confirmation dialog is displayed when the certificate has been successfully exported
    • Leave the MMC open for use in the following section.
  • 2.3 Export a certificate for Client Computers

  • Client computers must trust the issuer of the secure LDAP certificate to be able to connect successfully to the managed domain using LDAPS. The client computers need a certificate to successfully encrypt data that is decrypted by Azure AD DS. Follow the following steps to export and then install the self-signed certificate into the trusted certificate store on the client computer:

    • Go back to the MMC for Certificates (Local Computer) > Personal > Certificates store. The self-signed certificate created in a previous step is shown, such as exampledomain.com. Right-select this certificate, then choose All Tasks > Export…
    • In the Certificate Export Wizard, select Next.
    • As you don't need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.
    • Windows No Private Key

    • On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:
    • Windows Base64 Encoded certificate

    • On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\client.cer.
    • Windows Save certificate

    • On the review page, select Finish to export the certificate to a .CER certificate file. A confirmation dialog is displayed when the certificate has been successfully exported.

Step 3: Enable Secure LDAP for Azure AD DS

    • In the Azure portal, search for domain services in the Search resources box. Select Azure AD Domain Services from the search result.
    • Azure AD Domain Search

    • Choose your managed domain, such as exampledomain.com.
    • Azure AD Domain List

    • On the left-hand side of the Azure AD DS window, choose Secure LDAP.
    • Azure AD Secure Ldap Settings

    • By default, secure LDAP access to your managed domain is disabled. Toggle Secure LDAP to Enable.
    • Toggle Allow secure LDAP access over the internet to Enable.
    • Select the folder icon next to .PFX file with a secure LDAP certificate. Browse to the path of the .PFX file, then select the certificate created in a previous step that includes the private key.
    • Enter the Password to decrypt .PFX file set in a previous step when the certificate was exported to a .PFX file.
    • Select Save to enable secure LDAP.

      NOTE: A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.
    • Azure AD Secure Ldap Config

    • A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.
    • Azure AD Secure Ldap Notify wait

Step 4: Adding Security Rule

    • On the left-hand side of the Azure AD DS window, choose Properties.
    • Then select the relevant Network Group Associated with this domain under Network security group associated with subnet.
    • Azure AD Network group

    • The list of existing inbound and outbound security rules are displayed. On the left-hand side of the network security group windows, choose Security > Inbound security rules.
    • Select Add, then create a rule to allow TCP port 636.
    • Option A: Add an Inbound Security Rule to allow all incoming TCP requests.

    • Settings Value
      Source Any
      Source port ranges *
      Destination Any
      Destination port ranges 636
      Protocol TCP
      Action Allow
      Priority 401
      Name AllowLDAPS

    • Option B: Add an Inbound Security Rule to allow incoming TCP requests from a specified set of IP Addresses.(Recommended)

    • Settings Value
      Source IP Addresses
      Source IP addresses / CIDR ranges Valid IP address or range for your environment.
      Source port ranges *
      Destination Any
      Destination port ranges 636
      Protocol TCP
      Action Allow
      Priority 401
      Name AllowLDAPS

      Azure AD Security Rules

    • When ready, select Add to save and apply the rule.

Step 5: Configuring DNS for External Access

  • With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain. The Secure LDAP external IP address is listed on the Properties tab for your Azure AD DS managed domain:
  • Azure AD External IP Address

  • Make the following entry in your hosts file <Secure LDAP external IP address>ldaps.<domainname>
    Replace <Secure LDAP external IP address> with the IP we get from azure portal and replace
    <domainname> with the domain name for which the certificate was created.(Value used in $dnsName)
    Eg: 99.129.99.939 ldaps.exampledomain.com

Step 6: Enabling a user to bind successfully

  • On the left-hand side of the Azure AD DS window, choose Properties.
  • Then select the relevant Admin Group Associated with this domain.
  • Azure AD Admin Groups

  • Then select Members under the Manage tab from the left hand side panel.
  • Azure AD Add Admin

  • Select Add Members and select the member that you would use to do the bind operation. Then log in to azure portal using the same user that is now admin.(If not already logged in)
  • Select the user setting from top right corner and select view account.
  • Azure AD View Account

  • Then select Set up self service password reset and go along with its setup.
  • Azure AD Self Service Password Reset

  • After Successful setup select Azure Portal from the list of apps.
  • Azure AD All Apps

  • Then again go to the user profile and select change password.
  • Azure AD Change Password

  • Once the password is changed successfully then this user is eligible for binding operation.

Step 7: Configuring MiniOrange Identity Provider User Store

  • Prerequisites

    • Install keytool for windows.(Its installed with java and is present in $JAVA_HOME\bin directory. To use it elsewhere add this directory to PATH variable.)
  • 7.1 Steps for configuration:

    • For miniOrange On-Premise Users only: Adding Client certificate in the JAVA cacerts
      • To add the client certificate (.cer file) to your JAVA cacerts go to $JAVA_HOME\jre\lib\security and run the following command using command prompt as administrator:
         keytool -importcert -file <Path to .cer file> -keystore cacerts -alias "<Alias for the certificate>"
         Eg:keytool -importcert -file C:\Client.cer -keystore cacerts -alias "azureclient"
      • NOTE: The default password for the keystore is : changeit

        Windows Import Certificate

      • You can validate if your certificate was properly imported in the cacerts using the following command:
         keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
      • Windows List Certificate

        Windows Validate Certificate

    • For miniOrange Cloud Users only: In this case you will have to send the Client Certificate to miniOrange and we will configure it for you.
    • Configure the User Store in the IDP
      • From the Identity Provider select User Stores from the left hand side panel.
      • Select Add User Store.
      • miniOrange User Store

      • Select AD/LDAP and fill in the following details :
      • miniOrange AD LDAP


        Field Value
        LDAP display name Any string that displays on this entry
        LDAP Identifier Unique identifier that identifies this specific entry
        Directory Type Active Directory
        LDAP Server URL Select ldaps:// as the pre filler followed by the domain entry added in the host file during configure DNS for external access. Eg: ldaps://ldaps.exampledomain.com
        Bind Account DN UserPrincipalName of the account eligible for binding operation.
        Bind Account Password Password for the account used for binding
        Search Base Provide distinguished name of the Search Base object Eg:cn=User,dc=domain,dc=com
        Search Filter Search filters enable you to define search criteria and provide a more efficient and effective searches. Eg: "(&(objectClass=*)(cn=?))"
        Domain Name Semi-colon separated list of domain. Eg: miniorange.com
        LDAP Attribute List Semi-colon separated list of attributes. Eg: cn;mail;givenName

      • Finally click on the save button.
      • miniOrange Save User Store

      • Now select test configuration for the user stores entry that was created and enter the credential of any user present in the Azure Active Directory.
      • miniOrange Test Configuration

      • On successful setup, your ldaps connection to Azure AD will be successful. This will be reflected by a success message on test configuration.
      • miniOrange Connection Success

      • After successfully configuring the ldaps connection. Select the Edit option for the entry in the user stores and turn on the Activate LDAP check box.
      • miniOrange Activate Ldap

We offer Security Solutions of Single Sign-On, Two Factor Authentication, Fraud Prevention and much more.

Please call us at +1978 658 9387 (US), +91 77966 99612 (India) or email us at info@xecurify.com