Connect Azure AD DS with LDAP

Azure Active Directory (Azure AD) is Microsoft’s cloud-based Identity and Access Management (IAM) service, which helps your employees sign in and access resources. miniOrange provides a solution where existing identities in Azure Active Directory Services can be leveraged for Single Sign-On (SSO) into different cloud and on-premise applications. Azure Active Directory supports standard authentication and authorization protocols such as LDAPS, SAML 2.0 and OAUTH 2.0.
To interact with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is mostly used. By default, the LDAP traffic isn't encoded, which is a security concern for many environments. With Azure Active Directory Domain Services, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). When you use secure LDAP, the traffic is encrypted. Secure LDAP is also known as LDAP over Secure Sockets Layer (SSL).

How does Azure Active Directory over LDAPS work?

Popular Use-Cases around Azure AD Domain Services

SSO into different VPN application

Employees in organization can log into a VPN that supports Radius (OpenVPN, Fortinet, Palo Alto, Pulse Secure etc) using their Azure Active Directory (AD) Credentials.

Two-Factor Authentication (2FA)

Two-factor Authentication (2FA) is used to log in into various application using your Active Directory (AD) Credentials as the first factor and OTP as a second factor on the Application Side.

SSO into Office 365 Applications using Azure Active Directory Credentials

Here Azure Active directory acts as an Identity Provider to SSO into different Office 365 Applications where miniOrange IdP acts as a broker.

Connect with External Source of Users

miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, Azure AD, OpenLDAP, Google, AWS Cognito etc), Identity Providers (like Shibboleth, Ping, Okta, OneLogin, KeyCloak), Databases (like MySQL, Maria DB, PostgreSQL) and many more.

Follow the Step-by-Step guide given below to configure Secure LDAP Connection between Azure Active Directory and miniOrange User Store

1. Create and configure an Azure Active Directory Domain Services instance

(Skip this if you have already configured a AADDS instance for a subscription)

1. Prerequisites

An active Azure subscription.
You need global administrator privileges in your Azure AD tenant to enable Azure Active Directory Domain Services either synchronized with an on-premises directory or a cloud-only directory.
You need Contributor privileges in your Azure subscription to create the required Azure Active Directory Domain Services resources.

1.1 Create an instance and configure basic settings

In the upper left-hand corner of the Azure portal, click on + Create a resource.
Enter Domain Services into the search bar, then choose Azure AD Domain Services from the search suggestions.

On the Azure AD Domain Services page, click on Create. The Enable Azure AD Domain Services wizard is launched.

Complete the fields in the Basics window of the Azure portal to create an Azure AD DS instance:
- Enter a DNS domain name for your managed domain, taking into consideration the previous points.
- Select the Azure Subscription in which you would like to create the managed domain.
- Select the Resource group to which the managed domain should belong. Choose to Create new or select an existing resource group.
- Choose the Azure Location in which the managed domain should be created.
- Click OK to move on to the Network section.

1.2 Create and configure the virtual network

Complete the fields in the Network window as follows:
- On the Network window, choose Select virtual network.
- For this tutorial, choose to Create new virtual network to deploy Azure AD DS into.
- Enter a name for the virtual network, such as myVnet, then provide an address range, such as 10.1.0.0/16.
- Create a dedicated subnet with a clear name, such as DomainServices. Provide an address range, such as 10.1.0.0/24.
With the virtual network and subnet created, the subnet should be automatically selected, such as DomainServices. You can instead choose an alternate existing subnet that's part of the selected virtual network.
Click on OK to confirm the virtual network configuration.

1.3 Configure an administrative group

The wizard automatically creates the AAD DC Administrators group in your Azure AD directory. If you have an existing group with this name in your Azure AD directory, the wizard selects this group. You can optionally choose to add additional users to this AAD DC Administrators group during the deployment process.

NOTE: We have included members in the administrator group further ahead in this document.

1.4 Configure Synchronization

Azure Active Directory Domain Services lets you synchronize all users and groups available in Azure AD, or a scoped synchronization of only specific groups.
Select the scope and then click OK.

NOTE: Scope cannot be changed later. If the need arises, then creation of new domain will be required.

1.5 Deploy your managed domain

On the Summary page of the wizard, review the configuration settings for the managed domain. You can go back to any step of the wizard to make changes
To create the managed domain, click on OK.
The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Azure AD DS deployment. Select the notification to see detailed progress for the deployment.
When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.

NOTE: During the provisioning process, Azure AD DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.

2. Create and delegate certificates for secure LDAP

2.1 Create a Self-Signed Certificate

To use Secure LDAP, a digital certificate is used to encrypt the communication. This digital certificate is applied to your Azure AD DS managed domain.
Open a PowerShell window as Administrator and run the following commands.

NOTE: Replace the $dnsName variable with the DNS name used by your own managed domain, such as exampledomain.com. This domain shoud be same as your ADDS managed domain.


    # Define your own DNS name used by your Azure AD DS managed domain
    $dnsName="exampledomain.com"

    # Get the current date to set a one-year expiration
    $lifetime=Get-Date

    # Create a self-signed certificate for use with Azure AD DS
    New-SelfSignedCertificate -Subject *.$dnsName `
      -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `
      -Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName

2.2 Export a certificate for Azure AD DS

To open the Run dialog, press the Windows and R keys.
Open the Microsoft Management Console (MMC) by entering MMC in the Run dialog, then select OK.
On the User Account Control prompt, click Yes to launch MMC as administrator.
From the File menu, click Add/Remove Snap-in…
In the Certificates snap-in wizard, choose Computer account, then select >Next
On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.
In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.

Windows Certificate to connect with AD DS

The self-signed certificate created in the previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…

Export Windows Certificate for azure AD LDAP Configuration

In the Certificate Export Wizard, select Next.
The Private key for the certificate must be exported. If the private key is not included in the exported certificate, the action to enable secure LDAP for your managed domain fails.
On the Export Private Key page, choose Yes, export the private key, then select Next.

Windows Certificate Export with Private key

Azure AD DS managed domains only support the .PFX certificate file format that includes the private key. Don't export the certificate as .CER certificate file format without the private key.
On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate. Check the box for Include all certificates in the certification path if possible and click next.

On the Security page, choose the option for Password to protect the .PFX certificate file. Enter and confirm a password, then select Next. This password is used in the next section to enable secure LDAP for your Azure AD DS managed domain.

On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds.pfx.
On the review page, click on Finish to export the certificate to a .PFX certificate file. A confirmation dialog is displayed when the certificate has been successfully exported
Leave the MMC open for use in the following section.

2.3 Export a certificate for Client Computers

Go back to the MMC for Certificates (Local Computer) > Personal > Certificates store. The self-signed certificate created in a previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…
In the Certificate Export Wizard, select Next.
As you don't need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.

On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:

On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\client.cer.

On the review page, select Finish to export the certificate to a .CER certificate file. A confirmation dialog is displayed when the certificate has been successfully exported.

3. Enable Secure LDAP for Azure AD DS

In the Azure portal, search for domain services in the Search resources box. Select Azure AD Domain Services from the search result.

Choose your managed domain, such as exampledomain.com.

On the left-hand side of the Azure AD DS window, choose Secure LDAP.

By default, secure LDAP access to your managed domain is disabled. Toggle Secure LDAP to Enable.
Toggle Allow secure LDAP access over the internet to Enable.
Select the folder icon next to .PFX file with a secure LDAP certificate. Browse to the path of the .PFX file, then select the certificate created in a previous step that includes the private key.
Enter the Password to decrypt .PFX file set in a previous step when the certificate was exported to a .PFX file.
Click on Save to enable secure LDAP.

NOTE: A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.

A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.

Azure AD Secure Ldap configured for the managed domain

4. Adding Security Rules

On the left-hand side of the Azure AD DS window, choose Properties.
Then select the relevant Network Group Associated with this domain under Network security group associated with subnet.

The list of existing inbound and outbound security rules are displayed. On the left-hand side of the network security group windows, choose Security > Inbound security rules.
Select Add, then create a rule to allow TCP port 636.
Option A: Add an Inbound Security Rule to allow all incoming TCP requests.

Settings	Value
Source	Any
Source port ranges	*
Destination	Any
Destination port ranges	636
Protocol	TCP
Action	Allow
Priority	401
Name	AllowLDAPS

Option B: Add an Inbound Security Rule to allow incoming TCP requests from a specified set of IP Addresses.(Recommended)

Settings	Value
Source	IP Addresses
Source IP addresses / CIDR ranges	Valid IP address or range for your environment.
Source port ranges	*
Destination	Any
Destination port ranges	636
Protocol	TCP
Action	Allow
Priority	401
Name	AllowLDAPS

When ready, click on Add to save and apply the rule.

5. Configure DNS for External Access

With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain. The Secure LDAP external IP address is listed on the Properties tab for your Azure AD DS managed domain:

Make the following entry in your hosts file <Secure LDAP external IP address>ldaps.<domainname> Replace <Secure LDAP external IP address> with the IP we get from azure portal and replace &l;tdomainname> with the domain name for which the certificate was created.(Value used in $dnsName) Eg: 99.129.99.939 ldaps.exampledomain.com

6. Enabling a user to bind successfully

On the left-hand side of the Azure AD DS window, choose Properties.
Then select the relevant Admin Group Associated with this domain.

Then select Members under the Manage tab from the left hand side panel.

Click on Add Members and select the member that you would use to do the bind operation. Then log in to azure portal using the same user that is now admin.(If not already logged in)
Select the user setting from top right corner and click on view account.

Then select Set up self service password reset and go along with its setup.

After Successful setup select Azure Portal from the list of apps.

Then again go to the user profile and select change password.

Once the password is changed successfully then this user is eligible for binding operation.

7. Configure miniOrange Identity Provider as User Store

Cloud Users
On-Premise Users

In this case you will have to send the Client Certificate to miniOrange and we will configure it for you.

Configure the User Store in the IDP

From the Identity Provider select User Stores from the left hand side panel.
Select Add User Store.

Select AD/LDAP and fill in the following details :

Field	Value
LDAP display name	Any string that displays on this entry
LDAP Identifier	Unique identifier that identifies this specific entry
Directory Type	Active Directory
LDAP Server URL	Select ldaps:// as the pre filler followed by the domain entry added in the host file during configure DNS for external access. Eg: ldaps://ldaps.exampledomain.com
Bind Account DN	UserPrincipalName of the account eligible for binding operation.
Bind Account Password	Password for the account used for binding
Search Base	Provide distinguished name of the Search Base object Eg:cn=User,dc=domain,dc=com
Search Filter	Search filters enable you to define search criteria and provide a more efficient and effective searches. Eg: "(&(objectClass=*)(cn=?))"
Domain Name	Semi-colon separated list of domain. Eg: miniorange.com
LDAP Attribute List	Semi-colon separated list of attributes. Eg: cn;mail;givenName

Enable Activate LDAP in order to authenticate users from AD/LDAP.
Finally click on the save button to add user store.

Now select test configuration for the user stores entry that was created and enter the credential of any user present in the Azure Active Directory.

On successful LDAP connection to Azure AD a success message will be reflected on your screen.

Prerequisites:
Install keytool for windows.(Its installed with java and is present in $JAVA_HOME\bin directory. To use it elsewhere add this directory to PATH variable.)
To add the client certificate (.cer file) to your JAVA cacerts go to $JAVA_HOME\jre\lib\security and run the following command using command prompt as administrator:
keytool -importcert -file <Path to .cer file> -keystore cacerts -alias "<Alias for the certificate>"
Eg:keytool -importcert -file C:\Client.cer -keystore cacerts -alias "azureclient"

NOTE:

You can validate if your certificate was properly imported in the cacerts using the following command:
keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

Contents