How to setup LDAP authentication with Azure Active Directory

Microsoft image reference

Lightweight Directory Access Protocol (LDAP) is an application protocol for working with various directory services. Directory services, such as Active Directory, store user and account information, and security information like passwords. The service then allows the information to be shared with other devices on the network.

Why do we need LDAP server?

Lightweight directory access protocol (LDAP) is a protocol that helps users find data about organizations, persons, and more.

LDAP has two main goals:

To store data in the LDAP directory.

authenticate users to access the directory.

The most common LDAP use case is providing a central location for accessing and managing directory services. LDAP enables organizations to store, manage, and secure information about the organization, its users, and assets–like usernames and passwords. This helps simplify storage access by providing a hierarchical structure of information, and it can be critical for corporations as they grow and acquire more user data and assets.

Implement LDAP authentication with Azure AD

Prerequisites:

• Azure Subscription
• Create and configure an Azure AD DS instance

Step 1: Configure virtual networking for an Azure Active Directory Domain Services managed domain

To provide connectivity to users and applications, an Azure Active Directory Domain Services (Azure AD DS) managed domain is deployed into an Azure virtual network subnet. This virtual network subnet should only be used for the managed domain resources provided by the Azure platform.

When you create your own VMs and applications, they shouldn’t be deployed into the same virtual network subnet. Instead, you should create and deploy your applications into a separate virtual network subnet, or in a separate virtual network that’s peered to the Azure AD DS virtual network.

Let’s create and configure a dedicated virtual network subnet or how to peer a different network to the Azure AD DS managed domain’s virtual network.

a) Create a virtual network subnet — Go to the VNet of you Azure Domain services VNet and add IP address range of 10.0.3.0/24 and save.

Now, Go to subnets and add this address range in subnet as shown below.

b) Create a Virtual machine (windows image) inside the same subnet.

Now to VM and try to connect, It’ll will show the error as show below.

Due to this error, Create a NSG group.

Attach the previously created subnet with the same NSG.

Now add the inbound rule for RDP connection.

The error is resolved now.

Step 3: Configure secure LDAP for an Azure Active Directory Domain Services managed domain

To communicate with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is used. By default, the LDAP traffic isn’t encrypted, which is a security concern for many environments.

With Azure AD DS, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). When you use secure LDAP, the traffic is encrypted. Secure LDAP is also known as LDAP over Secure Sockets Layer (SSL) / Transport Layer Security (TLS).

a) Create a digital certificate for use with Azure AD DS —

Connect the VM and Open a PowerShell window as Administrator and run the following commands. Replace the $dnsName variable with the DNS name used by your own managed domain, such as monkgrowth.com

# Define your own DNS name used by your managed domain
$dnsName="monkgrowth.com"

# Get the current date to set a one-year expiration
$lifetime=Get-Date

# Create a self-signed certificate for use with Azure AD DS
New-SelfSignedCertificate -Subject *.$dnsName `
  -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `
  -Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName

a) Export a certificate for Azure AD DS -

1. Windows + R → Open Microsoft Management Console (MMC) by entering mmc
2. On the User Account Control prompt, then select Yes to launch MMC as administrator.
3. File menu, select Add/Remove Snap-in…

4. In the Certificates snap-in wizard, choose Computer account, then select Next → Local computer: (the computer this console is running on), then select Finish.

5. In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.

6. Right Click on the certificate → All tasks → Export → Certificate Export Wizard, select Next → On the Export Private Key page, choose Yes, export the private key, then select Next.

Managed domains only support the .PFX certificate file format that includes the private key. Don’t export the certificate as .CER certificate file format without the private key.

Next → set the password.

Now Save the Certificate.

b) Export a certificate for client computers -

Client computers must trust the issuer of the secure LDAP certificate to be able to connect successfully to the managed domain using LDAPS. The client computers need a certificate to successfully encrypt data that is decrypted by Azure AD DS.

1. Windows + R → Open Microsoft Management Console (MMC) by entering mmc
2. On the User Account Control prompt, then select Yes to launch MMC as administrator.
3. File menu, select Add/Remove Snap-in…
4. Right Click on Certificate → All Tasks > Export…
5. As you don’t need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.
6. On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:

7. Next and export the certificate.

Let’s install the certificate on the local computer (VM).

1. Right Click on the .CER certificate file and Install.

2. Choose to Automatically select the certificate store based on the type of certificate, then select Next.

3. On the review page, select Finish to import the .CER certificate. file A confirmation dialog is displayed when the certificate has been successfully imported.

Step 4: Enable secure LDAP for Azure AD DS

1. Go to Azure Portal -> Azure AD Domain Services → Secure LDAP → Enable the LDAP and add the certifiacte and password which you set for exporting the cert. It takes a few minutes to enable secure LDAP for your managed domain.

Step 5: Configure DNS zone for external access

With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain.

Go to Azure AD Domain Services → Properties → Copy External IP.

Go to VM and open path C:\Windows\System32\drivers\etc\hosts and add IP.

 20.219.61.82  monkgrowth.com

Step 6: Test queries to the managed domain

To connect and bind to your managed domain and search over LDAP, you use the LDP.exe tool. This tool is included in the Remote Server Administration Tools (RSAT) package. For more information, see install Remote Server Administration Tools.

1. Open PowerShell with administrator and LDP.exe and connect to the managed domain.
2. Click on Connection and established the connection.

3. Click on Connection → Bind → Bind with credentials and bind with the AD user which is created with AD Domain Services. To see how to create user in AD, you can refer my previous article.

after binding, It will be showing the Output like this.

4. It’s time to check the tree. Go to View → tree → Select the query.

5. all the AD users are showing here.

Verify the users with Azure AD users.

In this tutorial, we have successfully setup the LDAP to Azure Active Directory. MS Azure Reference- LDAP authentication with Azure Active Directory.