Secure Active Directory authentication with public CA and no AD CS

Question

Hi All, 
 For secure AD authentication it seems Sophos advice is to install AD CS and create an AD CA on every AD server you use. 
 Link: https://community.sophos.com/sophos-xg-firewall/f/recommended-reads/128222/sophos-firewall-how-to-integrate-active-directory-with-ssl-tls-or-starttls-connection-security 
 Sophos support confirmed this is the way to go. For me this seems like overkill. IBM even states on there website not to do this; "Do not install the Certificate Services role on the Active Directory server. Some Active Directory Domain configurations are not suited to accept an installed Certificate Services role. For example, when there are multiple Active Directory servers in a domain." Link: https://www.ibm.com/docs/en/tsm/7.1.1?topic=passwords-configuring-windows-active-directory-tlsssl 
 Just to check with the community, why not use a public CA certificate? Then there is no need to install AD CS on every AD. 
 Link: https://docs.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority 
 Did anybody already tried this? And please share your thoughts on this.

rpa · Accepted Answer

So I tested the suggested solution as mentioned in the Microsoft link (enable-ldap-over-ssl-3rd-certification-authority). I bought an SSL certificate, placed it in the Personal Store of the Computer on my AD server. Tested it with ldp.exe and that works. Next step was test SSL/TLS authentication in de Sophos XG (port 636) and that also works. 
 So there is no need to install AD CS on every AD you use for authentication within the Sophos XG. Just buy a public SSL cert and place it on your AD server.

Secure Active Directory authentication with public CA and no AD CS

Top Replies