Connect Microsoft Entra DS with LDAP

---

Microsoft Entra is Microsoft’s cloud-based Identity and Access Management (IAM) service, which helps your employees sign in and access resources. miniOrange provides a solution where existing identities in Microsoft Entra Services can be leveraged for Single Sign-On (SSO) into different cloud and on-premise applications. Microsoft Entra supports standard authentication and authorization protocols such as LDAPS, SAML 2.0 and OAUTH 2.0.
To interact with your Microsoft Entra Domain Services managed domain, the Lightweight Directory Access Protocol (LDAP) is mostly used. By default, the LDAP traffic isn't encoded, which is a security concern for many environments. With Microsoft Entra Domain Services, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). When you use secure LDAP, the traffic is encrypted. Secure LDAP is also known as LDAP over Secure Sockets Layer (SSL).

How does Microsoft Entra over LDAPS work?

Follow the Step-by-Step guide given below to configure Secure LDAP Connection between Microsoft Entra and miniOrange User Store

1. Create and configure an Microsoft Entra Domain Services instance

(Skip this if you have already configured a AADDS instance for a subscription)

1. Prerequisites

• An active Azure subscription.
• You need global administrator privileges in your Microsoft Entra tenant to enable Microsoft Entra Domain Services either synchronized with an on-premises directory or a cloud-only directory.
• You need Contributor privileges in your Azure subscription to create the required Microsoft Entra Domain Services resources.

1.1 Create an instance and configure basic settings

• In the upper left-hand corner of the Azure portal, click on + Create a resource.
• Enter Domain Services into the search bar, then choose Microsoft Entra Domain Services from the search suggestions.



• On the Microsoft Entra Domain Services page, click on Create. The Enable Microsoft Entra Domain Services wizard is launched.



• Complete the fields in the Basics window of the Azure portal to create an Microsoft Entra DS instance:
  • Enter a DNS domain name for your managed domain, taking into consideration the previous points.
  • Select the Azure Subscription in which you would like to create the managed domain.
  • Select the Resource group to which the managed domain should belong. Choose to Create new or select an existing resource group.
  • Choose the Azure Location in which the managed domain should be created.
  • Click OK to move on to the Network section.

1.2 Create and configure the virtual network

• Complete the fields in the Network window as follows:
  • On the Network window, choose Select virtual network.
  • For this tutorial, choose to Create new virtual network to deploy Microsoft Entra DS into.
  • Enter a name for the virtual network, such as myVnet, then provide an address range, such as 10.1.0.0/16.
  • Create a dedicated subnet with a clear name, such as DomainServices. Provide an address range, such as 10.1.0.0/24.
• With the virtual network and subnet created, the subnet should be automatically selected, such as DomainServices. You can instead choose an alternate existing subnet that's part of the selected virtual network.
• Click on OK to confirm the virtual network configuration.

1.3 Configure an administrative group

• The wizard automatically creates the AAD DC Administrators group in your Microsoft Entra directory. If you have an existing group with this name in your Microsoft Entra directory, the wizard selects this group. You can optionally choose to add additional users to this AAD DC Administrators group during the deployment process.
  
  NOTE: We have included members in the administrator group further ahead in this document.

1.4 Configure Synchronization

• Microsoft Entra Domain Services lets you synchronize all users and groups available in Microsoft Entra, or a scoped synchronization of only specific groups.
• Select the scope and then click OK.
  
  NOTE: Scope cannot be changed later. If the need arises, then creation of new domain will be required.

1.5 Deploy your managed domain

• On the Summary page of the wizard, review the configuration settings for the managed domain. You can go back to any step of the wizard to make changes
• To create the managed domain, click on OK.
• The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Microsoft Entra DS deployment. Select the notification to see detailed progress for the deployment.
• When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.



NOTE: During the provisioning process, Microsoft Entra DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.

2. Create and delegate certificates for secure LDAP

2.1 Create a Self-Signed Certificate

• To use Secure LDAP, a digital certificate is used to encrypt the communication. This digital certificate is applied to your Microsoft Entra DS managed domain.
• Open a PowerShell window as Administrator and run the following commands.
  
  NOTE: Replace the $dnsName variable with the DNS name used by your own managed domain, such as exampledomain.com. This domain shoud be same as your ADDS managed domain.
# Define your own DNS name used by your Microsoft Entra DS managed domain $dnsName="exampledomain.com" # Get the current date to set a one-year expiration $lifetime=Get-Date # Create a self-signed certificate for use with Microsoft Entra DS New-SelfSignedCertificate -Subject *.$dnsName ` -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment ` -Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName

2.2 Export a certificate for Microsoft Entra DS

Before you can use the digital certificate created in the previous step with your Microsoft Entra DS managed domain, export the certificate to a .PFX certificate file that includes the private key.


• To open the Run dialog, press the Windows and R keys.
• Open the Microsoft Management Console (MMC) by entering MMC in the Run dialog, then select OK.
• On the User Account Control prompt, click Yes to launch MMC as administrator.
• From the File menu, click Add/Remove Snap-in…
• In the Certificates snap-in wizard, choose Computer account, then select >Next
• On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.
• In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
• In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.



• The self-signed certificate created in the previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…



• In the Certificate Export Wizard, select Next.
• The Private key for the certificate must be exported. If the private key is not included in the exported certificate, the action to enable secure LDAP for your managed domain fails.
  On the Export Private Key page, choose Yes, export the private key, then select Next.



• Microsoft Entra DS managed domains only support the .PFX certificate file format that includes the private key. Don't export the certificate as .CER certificate file format without the private key.
• On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate. Check the box for Include all certificates in the certification path if possible and click next.



• On the Security page, choose the option for Password to protect the .PFX certificate file. Enter and confirm a password, then select Next. This password is used in the next section to enable secure LDAP for your Microsoft Entra DS managed domain.



• On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds.pfx.
• On the review page, click on Finish to export the certificate to a .PFX certificate file. A confirmation dialog is displayed when the certificate has been successfully exported
• Leave the MMC open for use in the following section.

2.3 Export a certificate for Client Computers

Client computers must trust the issuer of the secure LDAP certificate to be able to connect successfully to the managed domain using LDAPS. The client computers need a certificate to successfully encrypt data that is decrypted by Microsoft Entra DS. Follow the following steps to export and then install the self-signed certificate into the trusted certificate store on the client computer:


• Go back to the MMC for Certificates (Local Computer) > Personal > Certificates store. The self-signed certificate created in a previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…
• In the Certificate Export Wizard, select Next.
• As you don't need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.



• On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:



• On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\client.cer.



• On the review page, select Finish to export the certificate to a .CER certificate file. A confirmation dialog is displayed when the certificate has been successfully exported.

3. Enable Secure LDAP for Microsoft Entra DS

• In the Azure portal, search for domain services in the Search resources box. Select Microsoft Entra Domain Services from the search result.



• Choose your managed domain, such as exampledomain.com.



• On the left-hand side of the Microsoft Entra DS window, choose Secure LDAP.



• By default, secure LDAP access to your managed domain is disabled. Toggle Secure LDAP to Enable.
• Toggle Allow secure LDAP access over the internet to Enable.
• Select the folder icon next to .PFX file with a secure LDAP certificate. Browse to the path of the .PFX file, then select the certificate created in a previous step that includes the private key.
• Enter the Password to decrypt .PFX file set in a previous step when the certificate was exported to a .PFX file.
• Click on Save to enable secure LDAP.
  
  NOTE: A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.



• A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.

4. Adding Security Rules

• On the left-hand side of the Microsoft Entra DS window, choose Properties.
• Then select the relevant Network Group Associated with this domain under Network security group associated with subnet.



• The list of existing inbound and outbound security rules are displayed. On the left-hand side of the network security group windows, choose Security > Inbound security rules.
• Select Add, then create a rule to allow TCP port 636.
• Option A: Add an Inbound Security Rule to allow all incoming TCP requests.



Settings	Value
Source	Any
Source port ranges	*
Destination	Any
Destination port ranges	636
Protocol	TCP
Action	Allow
Priority	401
Name	AllowLDAPS



• Option B: Add an Inbound Security Rule to allow incoming TCP requests from a specified set of IP Addresses.(Recommended)



Settings	Value
Source	IP Addresses
Source IP addresses / CIDR ranges	Valid IP address or range for your environment.
Source port ranges	*
Destination	Any
Destination port ranges	636
Protocol	TCP
Action	Allow
Priority	401
Name	AllowLDAPS





• When ready, click on Add to save and apply the rule.

5. Configure DNS for External Access

• With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain. The Secure LDAP external IP address is listed on the Properties tab for your Microsoft Entra DS managed domain:



• Make the following entry in your hosts file <Secure LDAP external IP address>ldaps.<domainname>
Replace <Secure LDAP external IP address> with the IP we get from azure portal and replace
&l;tdomainname> with the domain name for which the certificate was created.(Value used in $dnsName)
Eg: 99.129.99.939 ldaps.exampledomain.com

6. Enabling a user to bind successfully

• On the left-hand side of the Microsoft Entra DS window, choose Properties.
• Then select the relevant Admin Group Associated with this domain.



• Then select Members under the Manage tab from the left hand side panel.



• Click on Add Members and select the member that you would use to do the bind operation. Then log in to azure portal using the same user that is now admin.(If not already logged in)
• Select the user setting from top right corner and click on view account.



• Then select Set up self service password reset and go along with its setup.



• After Successful setup select Azure Portal from the list of apps.



• Then again go to the user profile and select change password.



• Once the password is changed successfully then this user is eligible for binding operation.

7. Configure miniOrange Identity Provider as User Store

• Cloud Users
• On-Premise Users

• In this case you will have to send the Client Certificate to miniOrange and we will configure it for you.
• Configure the User Store in the IDP
  • From the Identity Provider select User Stores from the left hand side panel.
  • Select Add User Store.
  
  
  
  • Select AD/LDAP and fill in the following details :
  
  
  
  

  Field	Value
  LDAP display name	Any string that displays on this entry
  LDAP Identifier	Unique identifier that identifies this specific entry
  Directory Type	Active Directory
  LDAP Server URL	Select ldaps:// as the pre filler followed by the domain entry added in the host file during configure DNS for external access. Eg: ldaps://ldaps.exampledomain.com
  Bind Account DN	UserPrincipalName of the account eligible for binding operation.
  Bind Account Password	Password for the account used for binding
  Search Base	Provide distinguished name of the Search Base object Eg:cn=User,dc=domain,dc=com
  Search Filter	Search filters enable you to define search criteria and provide a more efficient and effective searches. Eg: "(&(objectClass=*)(cn=?))"
  Domain Name	Semi-colon separated list of domain. Eg: miniorange.com
  LDAP Attribute List	Semi-colon separated list of attributes. Eg: cn;mail;givenName

  
  
  • Enable Activate LDAP in order to authenticate users from AD/LDAP.
  • Finally click on the save button to add user store.
  
  
  
  • Now select test configuration for the user stores entry that was created and enter the credential of any user present in the Microsoft Entra.
  
  
  
  • On successful LDAP connection to Microsoft Entra a success message will be reflected on your screen.
  
  
  

• Prerequisites:

  Install keytool for windows.(Its installed with java and is present in $JAVA_HOME\bin directory. To use it elsewhere add this directory to PATH variable.)

• To add the client certificate (.cer file) to your JAVA cacerts go to $JAVA_HOME\jre\lib\security and run the following command using command prompt as administrator:
   keytool -importcert -file <Path to .cer file> -keystore cacerts -alias "<Alias for the certificate>"
   Eg:keytool -importcert -file C:\Client.cer -keystore cacerts -alias "azureclient"
NOTE: The default password for the keystore is : changeit




• You can validate if your certificate was properly imported in the cacerts using the following command:
   keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts

External References

• What is LDAP?
• LDAP login for Wordpress
• Configure Azure B2C SSO into Multiple Apps
• Know more about Directory as a Service (DaaS)
• Know how Palo Alto VPN 2FA works