Use LDAPS with ADAM

  • Release version: Yokohama
  • Updated January 30, 2025
  • 2 minutes to read
    • Summarize
    Summarized using AI
    This content was generated using new OpenAI-powered functionality. Results are provided on an as is basis and are not guaranteed to be accurate or complete.

    Summary of Use LDAPS with ADAM

    This guide explains how to configure LDAPS (secure LDAP) for ADAM (Active Directory Application Mode) to ensure encrypted communication between LDAP clients and the ADAM server. By default, ADAM enforces LDAPS for userProxy object authentication, requiring SSL certificates to secure network traffic.

    Show full answer Show less

    Configuring LDAPS Enforcement

    To disable LDAPS enforcement, modify the RequiresSecureProxyBind attribute from 1 (enforced) to 0 (disabled) using the ADSIEdit console connected to the configuration partition at the following object:

    • CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration

    After changing this setting, restart the ADAM service for it to take effect.

    SSL Certificate Requirements

    For secure binds that encrypt user credentials, an SSL certificate must be installed on both the ADAM server and any LDAP client. Because ADAM typically has limited use cases, a self-signed certificate is a practical and cost-effective option. Alternatively, if you have an existing Certificate Authority (CA), you can use it to issue a certificate.

    Creating a Self-Signed Certificate

    To generate a self-signed certificate, you can use the selfssl.exe utility from the IIS Resource Kit. Note that Internet Information Services (IIS) must be installed temporarily to create the certificate, but IIS can be removed afterward.

    Important points when using selfssl:

    • Create a new IIS website temporarily to avoid impacting existing sites.
    • The common name (CN) in the certificate must match the fully qualified domain name (FQDN) that your ServiceNow instance will use to connect to ADAM.
    • You need the IIS website ID for the site the certificate will attach to; the default website ID is 1.

    Example command to create a certificate valid for 10 years:

    selfssl /N:CN=myCompany.externaldomain.com /K:1024 /V:3650 /S:12345 /P:50001 /T

    This command:

    • Sets the CN to myCompany.externaldomain.com
    • Uses a 1024-bit key
    • Makes the certificate valid for 3650 days (10 years)
    • Attaches it to IIS website ID 12345 on port 50001
    • Adds the certificate to the local machine’s trusted certificates

    After generating the certificate, you can remove it from the website or delete the temporary IIS site.

    Key Outcomes

    • Secure LDAP communication is enforced by default, protecting user credentials during ADAM authentication.
    • Disabling LDAPS enforcement is possible but reduces security by allowing unencrypted binds.
    • Using self-signed certificates allows secure LDAPS without the need for a costly CA infrastructure.
    • Properly configuring the certificate ensures ServiceNow instances can securely connect to ADAM via LDAPS.

    The default configuration for userProxy object authentication is to enforce LDAPS (secure LDAP) communications. LDAPS requires SSL certificates to secure the network traffic.

    To remove this requirement make the following change using the ADSIEdit console connected to the configuration partition.
    Object: CN=Directory Service, CN=Windows NT, CN=Services, CN=Configuration
Attribute: msDS-Other-Setings
Value: change RequiresSecureProxyBind from 1 (enforced) to 0 (disabled)

    Restart the ADAM service to use the new setting.

    To support secure binds and encrypt the user and password information being transmitted, a SSL certificate must be installed on the server and any LDAP client. Since there is limited and controlled uses to the ADAM service, it is feasible to use a self-signed certificate which would meet the needs without incurring certificate costs or building a Certificate Authority (CA) infrastructure. If you already have a CA, you can issue a certificate. Otherwise, create a self-signed certificate.

    Creating a Self-Signed Certificate

    To use the selfssl utility, Internet Information Services (IIS) must be installed. This service can be removed after you generate the certificate. You can get the selfssl.exe utility from the IIS Resource Kit. If IIS is already installed, create a new website so that the current sites will not be impacted during the certificate generation. Selfssl needs to temporarily attach the new self-issued certificate to a valid web site.

    Selfssl is a command-line tool and has the following common parameters.

    Table 1. Selfssl Parameter Descriptions
    Parameter Description
    /T Adds the cert to ‘Trusted Certificates’ on the local machine
    /N:cn Set the common name of the certificate. This must match the fully qualified domain name of the server running the web service using the certificate
    /K Sets the strength of the key size in bits
    /V Number of days the cert is valid
    /S Web site ID to attach the certificate to
    /P IP port of the web service
    The common name attribute should match the external name or address that the instance will use to connect to your ADAM computer. You will need to get the IIS Website site id unless you are using the default website which is 1 and does not need to be defined in the selfssl command. A sample command to generate a certificate for myCompany would be:
    selfssl /N:CN=myCompany.externaldomain.com /K:1024 /V:3650 /S:12345 /P:50001 /T

    This statement creates a certificate that is valid for 10 years. Set the value to any duration, but be aware the new certificate must be generated and submitted to the instance before the old one expires. We recommend making a note of the expiration date on the certificate.

    Once the certificate is generated you can remove it from the website, or delete the entire web site if you created a temporary site.