# Enable Secure LDAP or LDAPS
<a name="ms_ad_ldap"></a>

Lightweight Directory Access Protocol (LDAP) is a standard communications protocol used to read and write data to and from Active Directory. Some applications use LDAP to add, remove, or search users and groups in Active Directory or to transport credentials for authenticating users in Active Directory. Every LDAP communication includes a client (such as an application) and a server (such as Active Directory).

By default, communications over LDAP are not encrypted. This makes it possible for a malicious user to use network monitoring software to view data packets over the wire. This is why many corporate security policies typically require that organizations encrypt all LDAP communication.

To mitigate this form of data exposure, AWS Managed Microsoft AD provides an option: You can enable LDAP over Secure Sockets Layer (SSL)/Transport Layer Security (TLS), also known as LDAPS. With LDAPS, you can improve security across the wire. You can also meet compliance requirements by encrypting all communications between your LDAP-enabled applications and AWS Managed Microsoft AD.

AWS Managed Microsoft AD provides support for LDAPS in the following deployment scenarios:
+ **Server-side LDAPS** encrypts LDAP communications between your commercial or homegrown LDAP-aware applications (acting as LDAP clients) and AWS Managed Microsoft AD (acting as an LDAP server). For more information, see [Enabling server-side LDAPS using AWS Managed Microsoft AD](ms_ad_ldap_server_side.md).
+ **Client-side LDAPS** encrypts LDAP communications between AWS applications such as WorkSpaces (acting as LDAP clients) and your self-managed (on-premises) Active Directory (acting as LDAP server). For more information, see [Enabling client-side LDAPS using AWS Managed Microsoft AD](ms_ad_ldap_client_side.md).

For more information on best practices regarding securing your implementation of Microsoft Active Directory Certificate Services, see [Microsoft documentation](https://learn.microsoft.com/en-us/defender-for-identity/security-assessment-prevent-users-request-certificate).

**Topics**
+ [

# Enabling server-side LDAPS using AWS Managed Microsoft AD
](ms_ad_ldap_server_side.md)
+ [

# Enabling client-side LDAPS using AWS Managed Microsoft AD
](ms_ad_ldap_client_side.md)

# Enabling server-side LDAPS using AWS Managed Microsoft AD
<a name="ms_ad_ldap_server_side"></a>

Server-side Lightweight Directory Access Protocol Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (LDAPS) support encrypts LDAP communications between your commercial or homegrown LDAP-aware applications and your AWS Managed Microsoft AD directory. This helps to improve security across the wire and meet compliance requirements using the Secure Sockets Layer (SSL) cryptographic protocol.

## Enable server-side LDAPS using AWS Private Certificate Authority
<a name="enableserversideldaps_pca"></a>

For detailed instructions on how to set up and configure server-side LDAPS and your certificate authority (CA) server using AWS Private CA, see [Set up AWS Private CA Connector for AD for AWS Managed Microsoft AD](ms_ad_pca_connector.md).

## Enable server-side LDAPS using Microsoft CA
<a name="enableserversideldaps_msca"></a>

For detailed instructions on how to set up and configure server-side LDAPS and your certificate authority (CA) server, see [How to Enable Server-Side LDAPS for Your AWS Managed Microsoft AD Directory](https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/) on the AWS Security Blog. 

You must do most of the setup from the Amazon EC2 instance that you use to manage your AWS Managed Microsoft AD domain controllers. The following steps guide you through enabling LDAPS for your domain in the AWS Cloud.

If you would like to use automation to setup your PKI Infrastructure, you can use the [Microsoft Public Key Infrastructure on AWS QuickStart Guide](https://aws.amazon.com/quickstart/architecture/microsoft-pki/). Specifically you will want to follow the instructions in the guide to load the template for [Deploy MicrosoftPKI into an existing VPC on AWS](https://aws-quickstart.github.io/quickstart-microsoft-pki/#_deployment_steps). Once you load the template, be sure to choose **`AWSManaged`** when you get to the **Active Directory Domain Services Type** option. If you used the QuickStart guide, you can jump directly to [Step 3: Create a certificate template](#createcustomcert).

**Topics**
+ [

### Step 1: Delegate who can enable LDAPS
](#grantpermsldaps)
+ [

### Step 2: Set up your certificate authority
](#setupca)
+ [

### Step 3: Create a certificate template
](#createcustomcert)
+ [

### Step 4: Add security group rules
](#addgrouprules)

### Step 1: Delegate who can enable LDAPS
<a name="grantpermsldaps"></a>

To enable server-side LDAPS, you must be a member of the Admins or AWS Delegated Enterprise Certificate Authority Administrators group in your AWS Managed Microsoft AD directory. Alternatively, you can be the default administrative user (Admin account). If you prefer, you can have a user other than the Admin account setup LDAPS. In that case, add that user to the Admins or AWS Delegated Enterprise Certificate Authority Administrators group in your AWS Managed Microsoft AD directory.

### Step 2: Set up your certificate authority
<a name="setupca"></a>

Before you can enable server-side LDAPS, you must create a certificate. This certificate must be issued by a Microsoft Enterprise CA server that is joined to your AWS Managed Microsoft AD domain. Once created, the certificate must be installed on each of your domain controllers in that domain. This certificate lets the LDAP service on the domain controllers listen for and automatically accept SSL connections from LDAP clients. 

**Note**  
Server-side LDAPS with AWS Managed Microsoft AD does not support certificates that are issued by a standalone CA. It also does not support certificates issued by a third-party certification authority.

Depending on your business need, you have the following options for setting up or connecting to a CA in your domain: 
+ **Create a subordinate Microsoft Enterprise CA** – (Recommended) With this option, you can deploy a subordinate Microsoft Enterprise CA server in the AWS Cloud. The server can use Amazon EC2 so that it works with your existing root Microsoft CA. For more information about how to set up a subordinate Microsoft Enterprise CA, see **Step 4: Add a Microsoft Enterprise CA to your AWS Microsoft AD directory** in [How to Enable Server-Side LDAPS for Your AWS Managed Microsoft AD Directory](https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/).
+ **Create a root Microsoft Enterprise CA** – With this option, you can create a root Microsoft Enterprise CA in the AWS Cloud using Amazon EC2 and join it to your AWS Managed Microsoft AD domain. This root CA can issue the certificate to your domain controllers. For more information about setting up a new root CA, see **Step 3: Install and configure an offline CA** in [How to Enable Server-Side LDAPS for Your AWS Managed Microsoft AD Directory](https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/).

For more information about how to join your EC2 instance to the domain, see [Ways to join an Amazon EC2 instance to your AWS Managed Microsoft AD](ms_ad_join_instance.md).

### Step 3: Create a certificate template
<a name="createcustomcert"></a>

After your Enterprise CA has been set up, you can configure the Kerberos Authentication certificate template. 

**To create a certificate template**

1. Launch **Microsoft Windows Server Manager**. Select **Tools > Certification Authority**.

1. In the **Certificate Authority** window, expand the **Certificate Authority** tree in the left pane. Right-click **Certificate Templates**, and choose **Manage**.

1. In the** Certificate Templates Console** window, right-click **Kerberos Authentication** and choose **Duplicate Template**.

1. The **Properties of New Template** window will pop up.

1. In the** Properties of New Template** window, go to the **Compatibility** tab, and then do the following:

   1. Change **Certification Authority** to the OS that matches your CA. 

   1. If a **Resulting changes** window pops up, select **OK**.

   1. Change **Certification recipient** to **Windows 10 / Windows Server 2016**.
**Note**  
AWS Managed Microsoft AD is powered by Windows Server 2019.

   1. If a **Resulting changes** windows pops up, select **OK**.

1. Click the **General **tab and change the **Template display name** to **LDAPOverSSL** or any other name you would prefer.

1. Click the **Security **tab, and choose **Domain Controllers** in the **Group or user names** section. In the **Permissions for Domain Controllers** section, verify that the **Allow** check boxes for **Read**, **Enroll**, and **Autoenroll** are checked.

1. Choose **OK** to create the **LDAPOverSSL** (or the name you specified above) certificate template. Close the **Certificate Templates Console** window.

1. In the **Certificate Authority** window, right-click **Certificate Templates**, and choose **New > Certificate Template to Issue**.

1. In the **Enable Certificate Templates** window, choose **LDAPOverSSL** (or the name you specified above), and then choose **OK**.

### Step 4: Add security group rules
<a name="addgrouprules"></a>

In the final step, you must open the Amazon EC2 console and add security group rules. These rules allow your domain controllers to connect to your Enterprise CA to request a certificate. To do this, you add inbound rules so that your Enterprise CA can accept incoming traffic from your domain controllers. Then you add outbound rules to allow traffic from your domain controllers to the Enterprise CA.

Once both rules have been configured, your domain controllers request a certificate from your Enterprise CA automatically and enable LDAPS for your directory. The LDAP service on your domain controllers is now ready to accept LDAPS connections. 

**To configure security group rules**

1. Navigate to your Amazon EC2 console at [https://console.aws.amazon.com/ec2](https://console.aws.amazon.com/ec2) and sign in with administrator credentials.

1. In the left pane, choose **Security Groups** under **Network & Security**.

1. In the main pane, choose the AWS security group for your CA.

1. Choose the **Inbound** tab, and then choose **Edit**.

1. In the **Edit inbound rules** dialog box, do the following:
   + Choose **Add Rule**. 
   + Choose **All traffic** for **Type** and **Custom** for **Source**. 
   + Enter AWS security group (for example, `sg-123456789`) for your directory in the box next to **Source**. 
   + Choose **Save**.

1. Now choose the AWS security group of your AWS Managed Microsoft AD directory. Choose the **Outbound** tab and then choose **Edit**.

1. In the **Edit outbound rules** dialog box, do the following:
   + Choose **Add Rule**. 
   + Choose **All traffic** for **Type** and **Custom** for **Destination**. 
   + Enter the AWS security group for your CA in the box next to **Destination**. 
   + Choose **Save**.

You can test the LDAPS connection to the AWS Managed Microsoft AD directory using the LDP tool. The LDP tool comes with the Active Directory Administrative Tools. For more information, see [Installing Active Directory Administration Tools for AWS Managed Microsoft AD](ms_ad_install_ad_tools.md).

**Note**  
Before you test the LDAPS connection, you must wait up to 30 minutes for the subordinate CA to issue a certificate to your domain controllers.

For additional details about server-side LDAPS and to see an example use case on how to set it up, see [How to Enable Server-Side LDAPS for Your AWS Managed Microsoft AD Directory](https://aws.amazon.com/blogs/security/how-to-enable-ldaps-for-your-aws-microsoft-ad-directory/) on the AWS Security Blog.

# Enabling client-side LDAPS using AWS Managed Microsoft AD
<a name="ms_ad_ldap_client_side"></a>

Client-side Lightweight Directory Access Protocol Secure Sockets Layer (SSL)/Transport Layer Security (TLS) (LDAPS) support in AWS Managed Microsoft AD encrypts communications between self-managed (on-premises) Microsoft Active Directory (AD) and AWS applications. Examples of such applications include WorkSpaces, AWS IAM Identity Center, Quick, and Amazon Chime. This encryption helps you to better protect your organization's identity data and meet your security requirements.

## Prerequisites
<a name="ldap_client_side_prerequisites"></a>

Before you enable client-side LDAPS, you need to meet the following requirements.

**Topics**
+ [

### Create a trust relationship between your AWS Managed Microsoft AD and self-managed Microsoft Active Directory
](#trust_relationship_MAD_and_self_managed)
+ [

### Deploy server certificates in Active Directory
](#ldap_client_side_deploy_server_certs)
+ [

### Certificate Authority certificate requirements
](#ldap_client_side_get_certs_ready)
+ [

### Networking requirements
](#ldap_client_side_considerations_enabling)

### Create a trust relationship between your AWS Managed Microsoft AD and self-managed Microsoft Active Directory
<a name="trust_relationship_MAD_and_self_managed"></a>

First, you need to establish a trust relationship between your AWS Managed Microsoft AD and self-managed Microsoft Active Directory to enable client-side LDAPS. For more information, see [Creating a trust relationship between your AWS Managed Microsoft AD and self-managed AD](ms_ad_setup_trust.md).

### Deploy server certificates in Active Directory
<a name="ldap_client_side_deploy_server_certs"></a>

In order to enable client-side LDAPS, you need to obtain and install server certificates for each domain controller in Active Directory. These certificates will be used by the LDAP service to listen for and automatically accept SSL connections from LDAP clients. You can use SSL certificates that are either issued by an in-house Active Directory Certificate Services (ADCS) deployment or purchased from a commercial issuer. For more information on Active Directory server certificate requirements, see [LDAP over SSL (LDAPS) Certificate](https://social.technet.microsoft.com/wiki/contents/articles/2980.ldap-over-ssl-ldaps-certificate.aspx) on the Microsoft website.

### Certificate Authority certificate requirements
<a name="ldap_client_side_get_certs_ready"></a>

A certificate authority (CA) certificate, which represents the issuer of your server certificates, is required for client-side LDAPS operation. CA certificates are matched with the server certificates that are presented by your Active Directory domain controllers to encrypt LDAP communications. Note the following CA certificate requirements:
+ Enterprise Certification Authority (CA) is required to enable client-side LDAPS. You can use either Active Directory Certificate Service, a third-party commercial certificate authority, or [AWS Certificate Manager](https://docs.aws.amazon.com/acm/latest/userguide/acm-overview.html). For more information about Microsoft Enterprise Certificate Authority, see [Microsoft documentation](https://learn.microsoft.com/en-us/previous-versions/tn-archive/cc875810(v=technet.10)?redirectedfrom=MSDN).
+  To register a certificate, it must be more than 90 days away from expiration.
+ Certificates must be in Privacy-Enhanced Mail (PEM) format. If exporting CA certificates from inside Active Directory, choose base64 encoded X.509 (.CER) as the export file format.
+ A maximum of five (5) CA certificates can be stored per AWS Managed Microsoft AD directory.
+ Certificates using the RSASSA-PSS signature algorithm are not supported.
+ CA certificates that chain to every server certificate in every trusted domain must be registered.

### Networking requirements
<a name="ldap_client_side_considerations_enabling"></a>

AWS application LDAP traffic will run exclusively on TCP port 636, with no fallback to LDAP port 389. However, Windows LDAP communications supporting replication, trusts, and more will continue using LDAP port 389 with Windows-native security. Configure AWS security groups and network firewalls to allow TCP communications on port 636 in AWS Managed Microsoft AD (outbound) and self-managed Active Directory (inbound). Leave open LDAP port 389 between AWS Managed Microsoft AD and self-managed Active Directory.

## Enable client-side LDAPS
<a name="enableclientsideldaps"></a>

To enable client-side LDAPS, you import your certificate authority (CA) certificate into AWS Managed Microsoft AD, and then enable LDAPS on your directory. Upon enabling, all LDAP traffic between AWS applications and your self-managed Active Directory will flow with Secure Sockets Layer (SSL) channel encryption.

You can use two different methods to enable client-side LDAPS for your directory. You can use either the AWS Management Console method or the AWS CLI method.

**Note**  
Client-Side LDAPS is a Regional feature of AWS Managed Microsoft AD. If you are using [Multi-Region replication](ms_ad_configure_multi_region_replication.md), the following procedures must be applied separately in each Region. For more information, see [Global vs Regional features](multi-region-global-region-features.md).

**Topics**
+ [

### Step 1: Register a certificate in Directory Service
](#ms_ad_registercert)
+ [

### Step 2: Check registration status
](#ms_ad_check-registration-status)
+ [

### Step 3: Enable client-side LDAPS
](#ms_ad_enableclientsideldapssteps)
+ [

### Step 4: Check LDAPS status
](#ms_ad_check-ldaps-status)

### Step 1: Register a certificate in Directory Service
<a name="ms_ad_registercert"></a>

Use either of the following methods to register a certificate in Directory Service.

**Method 1: To register your certificate in Directory Service (AWS Management Console)**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.

1. Choose the directory ID link for your directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to register your certificate, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Client-side LDAPS** section, select the **Actions** menu, and then select **Register certificate**.

1. In the **Register a CA certificate** dialog box, select **Browse**, and then select the certificate and choose **Open**.

1. Choose **Register certificate**.

**Method 2: To register your certificate in Directory Service (AWS CLI)**
+ Run the following command. For the certificate data, point to the location of your CA certificate file. A certificate ID will be provided in the response.

  ```
  aws ds register-certificate --directory-id your_directory_id --certificate-data file://your_file_path
  ```

### Step 2: Check registration status
<a name="ms_ad_check-registration-status"></a>

To see the status of a certificate registration or a list of registered certificates, use either of the following methods.

**Method 1: To check certificate registration status in Directory Service (AWS Management Console)**

1. Go to the **Client-side LDAPS** section on the **Directory details** page.

1. Review the current certificate registration state that is displayed under the **Registration status** column. When the registration status value changes to **Registered**, your certificate has been successfully registered.

**Method 2: To check certificate registration status in Directory Service (AWS CLI)**
+ Run the following command. If the status value returns `Registered`, your certificate has been successfully registered.

  ```
  aws ds list-certificates --directory-id your_directory_id
  ```

### Step 3: Enable client-side LDAPS
<a name="ms_ad_enableclientsideldapssteps"></a>

Use either of the following methods to enable client-side LDAPS in Directory Service.

**Note**  
You must have successfully registered at least one certificate before you can enable client-side LDAPS.

**Method 1: To enable client-side LDAPS in Directory Service (AWS Management Console)**

1. Go to the **Client-side LDAPS** section on the **Directory details** page.

1. Choose **Enable**. If this option is not available, verify that a valid certificate has been successfully registered, and then try again.

1. In the **Enable client-side LDAPS** dialog box, choose **Enable**.

**Method 2: To enable client-side LDAPS in Directory Service (AWS CLI)**
+ Run the following command.

  ```
  aws ds enable-ldaps --directory-id your_directory_id --type Client
  ```

### Step 4: Check LDAPS status
<a name="ms_ad_check-ldaps-status"></a>

Use either of the following methods to check the LDAPS status in Directory Service.

**Method 1: To check LDAPS status in Directory Service (AWS Management Console)**

1. Go to the **Client-side LDAPS** section on the **Directory details** page.

1. If the status value is displayed as **Enabled**, LDAPS has been successfully configured.

**Method 2: To check LDAPS status in Directory Service (AWS CLI)**
+ Run the following command. If the status value returns `Enabled`, LDAPS has been successfully configured.

  ```
  aws ds describe-ldaps-settings –-directory-id your_directory_id
  ```

## Manage client-side LDAPS
<a name="ms_ad_manage-client-side-ldaps"></a>

Use these commands to manage your LDAPS configuration.

You can use two different methods to manage client-side LDAPS settings. You can use either the AWS Management Console method or the AWS CLI method.

### View certificate details
<a name="ms_ad_describe-a-certificate"></a>

Use either of the following methods to see when a certificate is set to expire.

**Method 1: To view certificate details in Directory Service (AWS Management Console)**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.

1. Choose the directory ID link for your directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to view the certificate, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Client-side LDAPS** section, under **CA certificates**, information about the certificate will be displayed.

**Method 2: To view certificate details in Directory Service (AWS CLI)**
+ Run the following command. For the certificate ID, use the identifier returned by `register-certificate` or `list-certificates`. 

  ```
  aws ds describe-certificate --directory-id your_directory_id --certificate-id your_cert_id
  ```

### Deregister a certificate
<a name="ms_ad_dergister-a-certificate"></a>

Use either of the following methods to deregister a certificate.

**Note**  
If only one certificate is registered, you must first disable LDAPS before you can deregister the certificate.

**Method 1: To deregister a certificate in Directory Service (AWS Management Console)**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.

1. Choose the directory ID link for your directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to deregister a certificate, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Client-side LDAPS** section, choose **Actions**, and then choose **Deregister certificate**.

1. In the **Deregister a CA certificate** dialog box, choose **Deregister**.

**Method 2: To deregister a certificate in Directory Service (AWS CLI)**
+ Run the following command. For the certificate ID, use the identifier returned by `register-certificate` or `list-certificates`. 

  ```
  aws ds deregister-certificate --directory-id your_directory_id --certificate-id your_cert_id
  ```

### Disable client-side LDAPS
<a name="ms_ad_disable-client-side-ldaps"></a>

Use either of the following methods to disable client-side LDAPS.

**Method 1: To disable client-side LDAPS in Directory Service (AWS Management Console)**

1. In the [AWS Directory Service console](https://console.aws.amazon.com/directoryservicev2/) navigation pane, select **Directories**.

1. Choose the directory ID link for your directory.

1. On the **Directory details** page, do one of the following:
   + If you have multiple Regions showing under **Multi-Region replication**, select the Region where you want to disable client-side LDAPS, and then choose the **Networking & security** tab. For more information, see [Primary vs additional Regions](multi-region-global-primary-additional.md).
   + If you do not have any Regions showing under **Multi-Region replication**, choose the **Networking & security** tab.

1. In the **Client-side LDAPS** section, choose **Disable**.

1. In the **Disable client-side LDAPS** dialog box, choose **Disable**.

**Method 2: To disable client-side LDAPS in Directory Service (AWS CLI)**
+ Run the following command.

  ```
  aws ds disable-ldaps --directory-id your_directory_id --type Client
  ```

## Certificate enrollment issues
<a name="certificate_enrollment_issue"></a>

The process to enroll your AWS Managed Microsoft AD domain controllers with the CA certificates can take up to 30 minutes. If you experience issues with the certificate enrollment and want to restart your AWS Managed Microsoft AD domain controllers, you can contact Support. To create a support case, see [Creating support cases and case management](https://docs.aws.amazon.com/awssupport/latest/user/case-management.html).