Disclaimer: This information is provided as-is for the benefit of the Community. Please contact Sophos Professional Services if you require assistance with your specific environment.
______________________________________________________________________________________________________________________________________
Table of Contents
Overview
This article guides to configure active directory authentication and how to configure secure LDAPS on windows server 2k22-12.
Useful Docs/KBAs related to AD authentication and user group behavior:
- Group membership behavior with Active Directory
- *NOTE: After Importing Active Directory groups, in order to see the users under the “Authentication > Users” user must authenticate once on any portal be it user portal or captive portal…this is the default architect of the SFOS, the users will not be synced until authentication.
Adding Active Directory Certificate Services
Step1: Access your server manager’s dashboard > Add roles and features
Step2: Select the installation type > Role-based or feature-based installation
Step3: Select server selection
Step4: Select server roles > Active Directory Certificate Services
Step5: Select Next on the Features tab, AD DS, AD CS…
Step6: Select Role Services and ensure Certificate Authority is checked.
Step7: Next enable the option “Restart the destination server automatically if required.” And click Install.
Installation process will begin and wait for the installation process to complete.
Configuring Active Directory Certificate Services
Step1: Post-deployment Configuration
Step2: Select Next on Credentials
Step3: Under Role Services, ensure to enable the “Certificate Authority” option.
Step4: Select setup type as Enterprise CA
Step5: Select CA type as Root CA
Step6: Select Private key as “Create a new private key”
Step7: Click next on the Cryptography, you can change based on your requirement!!
Step8: You can verify and click next
Step9: You can select the validity period based on requirement; I chose here 99 years
Step10: Click Next on Certificate Database and on Confirmation click Configure
It will provide you the results as per the screenshot below:
Testing LDAPS using a ldp tool
Step1: Open Windows PowerShell and type in ldp, which will help us determine if it is successful or fails.
Step2: Go to connection under the Ldp box and click connect. Under the Server type in localhost, type the port 636 and tick the option ssl as per the screenshot below:
Step3: And it is a success. If it fails, just reboot the server once and then perform the step2 again you should be able to see an output something like this below:
Adding an Active Directory Server with connection security type SSL/TLS
Step1: Under the Authentication > Servers > add
Step2: Now let’s test the connection and the result is a success
Step3: Now let’s import a group from this AD
Step4: Added a group called TAM
Step5: Select Next on common polices for groups, review selection and click ok on the following prompt:
Step6: Once the group is successfully imported from the AD, you’ll be able to see group under the Authentication > Groups
Step7: Now upon visiting the user section, we will not be able to see a username “Vivek” yet
Now as per the *NOTE mentioned above, we will login into the user portal for the AD username “Vivek”
*Note Before logging, ensure under the Authentication > Services > Firewall authentication methods has the AD Server selected.
And then as soon as you login with the username credential, we get an instant access in
And now we can also the user under the authentication > user’s section in the correct group.
I hope this article has helped you understand the LDAPS-AD integration and how to import user/group.
______________________________________________________________________________________________________________________________________
Added horizontal lines below disclaimer and end of RR and updated KB link to latest, edited table of contents
[edited by: Raphael Alganes at 1:08 PM (GMT -8) on 4 Dec 2023]
