Hello there!

Need Help? We are right here!

miniOrange Email Support
success

Thanks for your Enquiry.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to info@xecurify.com

Search Results:

×

Connect Microsoft Entra DS with LDAP


Microsoft Entra is Microsoft’s cloud-based Identity and Access Management (IAM) service, which helps your employees sign in and access resources. miniOrange provides a solution where existing identities in Microsoft Entra Services can be leveraged for Single Sign-On (SSO) into different cloud and on-premise applications. Microsoft Entra supports standard authentication and authorization protocols such as LDAPS, SAML 2.0 and OAUTH 2.0.
To interact with your Microsoft Entra Domain Services managed domain, the Lightweight Directory Access Protocol (LDAP) is mostly used. By default, the LDAP traffic isn't encoded, which is a security concern for many environments. With Microsoft Entra Domain Services, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). When you use secure LDAP, the traffic is encrypted. Secure LDAP is also known as LDAP over Secure Sockets Layer (SSL).


How does Microsoft Entra over LDAPS work?


Integrate LDAP with Microsoft Entra DS


Popular Use-Cases around Microsoft Entra Domain Services


SSO into different VPN application

Employees in organization can log into a VPN that supports Radius (OpenVPN, Fortinet, Palo Alto, Pulse Secure etc) using their Microsoft Entra (AD) Credentials.

Two-Factor Authentication (2FA)

Two-factor Authentication (2FA) is used to log in into various application using your Active Directory (AD) Credentials as the first factor and OTP as a second factor on the Application Side.

SSO into Office 365 Applications using Microsoft Entra Credentials

Here Microsoft Entra acts as an Identity Provider to SSO into different Office 365 Applications where miniOrange IdP acts as a broker.



Connect with External Source of Users


miniOrange provides user authentication from various external sources, which can be Directories (like ADFS, Microsoft Active Directory, OpenLDAP, AWS etc), Identity Providers (like Microsoft Entra ID, Okta, AWS), and many more. You can configure your existing directory/user store or add users in miniOrange.




Follow the Step-by-Step guide given below to configure Secure LDAP Connection between Microsoft Entra and miniOrange User Store

1. Create and configure an Microsoft Entra Domain Services instance

(Skip this if you have already configured a AADDS instance for a subscription)

    1. Prerequisites

    • An active Azure subscription.
    • You need global administrator privileges in your Microsoft Entra tenant to enable Microsoft Entra Domain Services either synchronized with an on-premises directory or a cloud-only directory.
    • You need Contributor privileges in your Azure subscription to create the required Microsoft Entra Domain Services resources.

    1.1 Create an instance and configure basic settings

    • In the upper left-hand corner of the Azure portal, click on + Create a resource.
    • Enter Domain Services into the search bar, then choose Microsoft Entra Domain Services from the search suggestions.
    • Microsoft Entra Create Resource

    • On the Microsoft Entra Domain Services page, click on Create. The Enable Microsoft Entra Domain Services wizard is launched.
    • Microsoft Entra Create Domain Service

    • Complete the fields in the Basics window of the Azure portal to create an Microsoft Entra DS instance:
      • Enter a DNS domain name for your managed domain, taking into consideration the previous points.
      • Select the Azure Subscription in which you would like to create the managed domain.
      • Select the Resource group to which the managed domain should belong. Choose to Create new or select an existing resource group.
      • Choose the Azure Location in which the managed domain should be created.
      • Click OK to move on to the Network section.

    1.2 Create and configure the virtual network

    • Complete the fields in the Network window as follows:
      • On the Network window, choose Select virtual network.
      • For this tutorial, choose to Create new virtual network to deploy Microsoft Entra DS into.
      • Enter a name for the virtual network, such as myVnet, then provide an address range, such as 10.1.0.0/16.
      • Create a dedicated subnet with a clear name, such as DomainServices. Provide an address range, such as 10.1.0.0/24.
    • With the virtual network and subnet created, the subnet should be automatically selected, such as DomainServices. You can instead choose an alternate existing subnet that's part of the selected virtual network.
    • Click on OK to confirm the virtual network configuration.

    1.3 Configure an administrative group

    • The wizard automatically creates the AAD DC Administrators group in your Microsoft Entra directory. If you have an existing group with this name in your Microsoft Entra directory, the wizard selects this group. You can optionally choose to add additional users to this AAD DC Administrators group during the deployment process.

      NOTE: We have included members in the administrator group further ahead in this document.

    1.4 Configure Synchronization

    • Microsoft Entra Domain Services lets you synchronize all users and groups available in Microsoft Entra, or a scoped synchronization of only specific groups.
    • Select the scope and then click OK.

      NOTE: Scope cannot be changed later. If the need arises, then creation of new domain will be required.

    1.5 Deploy your managed domain

    • On the Summary page of the wizard, review the configuration settings for the managed domain. You can go back to any step of the wizard to make changes
    • To create the managed domain, click on OK.
    • The process of provisioning your managed domain can take up to an hour. A notification is displayed in the portal that shows the progress of your Microsoft Entra DS deployment. Select the notification to see detailed progress for the deployment.
    • When the managed domain is fully provisioned, the Overview tab shows the domain status as Running.

    • NOTE: During the provisioning process, Microsoft Entra DS creates two Enterprise Applications named Domain Controller Services and AzureActiveDirectoryDomainControllerServices in your directory. These Enterprise Applications are needed to service your managed domain. It's imperative that these applications are not deleted at any time.

2. Create and delegate certificates for secure LDAP

    2.1 Create a Self-Signed Certificate

    • To use Secure LDAP, a digital certificate is used to encrypt the communication. This digital certificate is applied to your Microsoft Entra DS managed domain.
    • Open a PowerShell window as Administrator and run the following commands.

      NOTE: Replace the $dnsName variable with the DNS name used by your own managed domain, such as exampledomain.com. This domain shoud be same as your ADDS managed domain.
    • # Define your own DNS name used by your Microsoft Entra DS managed domain $dnsName="exampledomain.com" # Get the current date to set a one-year expiration $lifetime=Get-Date # Create a self-signed certificate for use with Microsoft Entra DS New-SelfSignedCertificate -Subject *.$dnsName ` -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment ` -Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName

    2.2 Export a certificate for Microsoft Entra DS

      Before you can use the digital certificate created in the previous step with your Microsoft Entra DS managed domain, export the certificate to a .PFX certificate file that includes the private key.

    • To open the Run dialog, press the Windows and R keys.
    • Open the Microsoft Management Console (MMC) by entering MMC in the Run dialog, then select OK.
    • On the User Account Control prompt, click Yes to launch MMC as administrator.
    • From the File menu, click Add/Remove Snap-in…
    • In the Certificates snap-in wizard, choose Computer account, then select >Next
    • On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.
    • In the Add or Remove Snap-ins dialog, click OK to add the certificates snap-in to MMC.
    • In the MMC window, expand Console Root. Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.
    • Windows Certificate to connect with AD DS

    • The self-signed certificate created in the previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…
    • Export Windows Certificate for Microsoft Entra LDAP Configuration

    • In the Certificate Export Wizard, select Next.
    • The Private key for the certificate must be exported. If the private key is not included in the exported certificate, the action to enable secure LDAP for your managed domain fails.
      On the Export Private Key page, choose Yes, export the private key, then select Next.
    • Windows Certificate Export with Private key

    • Microsoft Entra DS managed domains only support the .PFX certificate file format that includes the private key. Don't export the certificate as .CER certificate file format without the private key.
    • On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate. Check the box for Include all certificates in the certification path if possible and click next.
    • Windows Personal Information Exchange

    • On the Security page, choose the option for Password to protect the .PFX certificate file. Enter and confirm a password, then select Next. This password is used in the next section to enable secure LDAP for your Microsoft Entra DS managed domain.
    • Windows Password for certificate

    • On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds.pfx.
    • On the review page, click on Finish to export the certificate to a .PFX certificate file. A confirmation dialog is displayed when the certificate has been successfully exported
    • Leave the MMC open for use in the following section.

    2.3 Export a certificate for Client Computers

    Client computers must trust the issuer of the secure LDAP certificate to be able to connect successfully to the managed domain using LDAPS. The client computers need a certificate to successfully encrypt data that is decrypted by Microsoft Entra DS. Follow the following steps to export and then install the self-signed certificate into the trusted certificate store on the client computer:

    • Go back to the MMC for Certificates (Local Computer) > Personal > Certificates store. The self-signed certificate created in a previous step is shown, such as exampledomain.com. Right-click this certificate, then choose All Tasks > Export…
    • In the Certificate Export Wizard, select Next.
    • As you don't need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.
    • Windows No Private Key

    • On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:
    • Windows Base64 Encoded certificate

    • On the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\client.cer.
    • Windows Save certificate

    • On the review page, select Finish to export the certificate to a .CER certificate file. A confirmation dialog is displayed when the certificate has been successfully exported.

3. Enable Secure LDAP for Microsoft Entra DS

  • In the Azure portal, search for domain services in the Search resources box. Select Microsoft Entra Domain Services from the search result.
  • Microsoft Entra Domain Services Search

  • Choose your managed domain, such as exampledomain.com.
  • Microsoft Entra Domain List

  • On the left-hand side of the Microsoft Entra DS window, choose Secure LDAP.
  • Microsoft Entra Secure Ldap Settings

  • By default, secure LDAP access to your managed domain is disabled. Toggle Secure LDAP to Enable.
  • Toggle Allow secure LDAP access over the internet to Enable.
  • Select the folder icon next to .PFX file with a secure LDAP certificate. Browse to the path of the .PFX file, then select the certificate created in a previous step that includes the private key.
  • Enter the Password to decrypt .PFX file set in a previous step when the certificate was exported to a .PFX file.
  • Click on Save to enable secure LDAP.

    NOTE: A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.
  • Microsoft Entra Secure Ldap Configuration

  • A notification is displayed that secure LDAP is being configured for the managed domain. You can't modify other settings for the managed domain until this operation is complete. It takes a few minutes to enable secure LDAP for your managed domain.
  • Microsoft Entra Secure Ldap configured for the managed domain

4. Adding Security Rules

  • On the left-hand side of the Microsoft Entra DS window, choose Properties.
  • Then select the relevant Network Group Associated with this domain under Network security group associated with subnet.
  • Microsoft Entra Network group

  • The list of existing inbound and outbound security rules are displayed. On the left-hand side of the network security group windows, choose Security > Inbound security rules.
  • Select Add, then create a rule to allow TCP port 636.
  • Option A: Add an Inbound Security Rule to allow all incoming TCP requests.

  • Settings Value
    Source Any
    Source port ranges *
    Destination Any
    Destination port ranges 636
    Protocol TCP
    Action Allow
    Priority 401
    Name AllowLDAPS

  • Option B: Add an Inbound Security Rule to allow incoming TCP requests from a specified set of IP Addresses.(Recommended)

  • Settings Value
    Source IP Addresses
    Source IP addresses / CIDR ranges Valid IP address or range for your environment.
    Source port ranges *
    Destination Any
    Destination port ranges 636
    Protocol TCP
    Action Allow
    Priority 401
    Name AllowLDAPS

    Microsoft Entra Security Rules

  • When ready, click on Add to save and apply the rule.

5. Configure DNS for External Access

  • With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain. The Secure LDAP external IP address is listed on the Properties tab for your Microsoft Entra DS managed domain:
  • Microsoft Entra External IP Address

  • Make the following entry in your hosts file <Secure LDAP external IP address>ldaps.<domainname>
    Replace <Secure LDAP external IP address> with the IP we get from azure portal and replace
    &l;tdomainname> with the domain name for which the certificate was created.(Value used in $dnsName)
    Eg: 99.129.99.939 ldaps.exampledomain.com

6. Enabling a user to bind successfully

  • On the left-hand side of the Microsoft Entra DS window, choose Properties.
  • Then select the relevant Admin Group Associated with this domain.
  • Microsoft Entra DS Admin Groups

  • Then select Members under the Manage tab from the left hand side panel.
  • Microsoft Entra DS Add Admin

  • Click on Add Members and select the member that you would use to do the bind operation. Then log in to azure portal using the same user that is now admin.(If not already logged in)
  • Select the user setting from top right corner and click on view account.
  • Microsoft Entra DS View Account

  • Then select Set up self service password reset and go along with its setup.
  • Microsoft Entra DS Self Service Password Reset

  • After Successful setup select Azure Portal from the list of apps.
  • Microsoft Entra DS All Apps

  • Then again go to the user profile and select change password.
  • Microsoft Entra DS Change Password

  • Once the password is changed successfully then this user is eligible for binding operation.

7. Configure miniOrange Identity Provider as User Store



  • In this case you will have to send the Client Certificate to miniOrange and we will configure it for you.
  • Configure the User Store in the IDP
    • From the Identity Provider select User Stores from the left hand side panel.
    • Select Add User Store.
    • Select User Store

    • Select AD/LDAP and fill in the following details :
    • Switch to AD LDAP


      Field Value
      LDAP display name Any string that displays on this entry
      LDAP Identifier Unique identifier that identifies this specific entry
      Directory Type Active Directory
      LDAP Server URL Select ldaps:// as the pre filler followed by the domain entry added in the host file during configure DNS for external access. Eg: ldaps://ldaps.exampledomain.com
      Bind Account DN UserPrincipalName of the account eligible for binding operation.
      Bind Account Password Password for the account used for binding
      Search Base Provide distinguished name of the Search Base object Eg:cn=User,dc=domain,dc=com
      Search Filter Search filters enable you to define search criteria and provide a more efficient and effective searches. Eg: "(&(objectClass=*)(cn=?))"
      Domain Name Semi-colon separated list of domain. Eg: miniorange.in
      LDAP Attribute List Semi-colon separated list of attributes. Eg: cn;mail;givenName

    • Enable Activate LDAP in order to authenticate users from AD/LDAP.
    • Finally click on the save button to add user store.
    • Save User Store settings

    • Now select test configuration for the user stores entry that was created and enter the credential of any user present in the Microsoft Entra.
    • Test Configuration

    • On successful LDAP connection to Microsoft Entra a success message will be reflected on your screen.
    • LDAPs connection to Microsoft Entra Successful

  • Prerequisites:

    Install keytool for windows.(Its installed with java and is present in $JAVA_HOME\bin directory. To use it elsewhere add this directory to PATH variable.)

  • To add the client certificate (.cer file) to your JAVA cacerts go to $JAVA_HOME\jre\lib\security and run the following command using command prompt as administrator:
     keytool -importcert -file <Path to .cer file> -keystore cacerts -alias "<Alias for the certificate>"
     Eg:keytool -importcert -file C:\Client.cer -keystore cacerts -alias "azureclient"
  • NOTE: The default password for the keystore is : changeit

    Windows Import Certificate

  • You can validate if your certificate was properly imported in the cacerts using the following command:
     keytool -list -v -keystore $JAVA_HOME/jre/lib/security/cacerts
  • Microsoft Windows List Certificate

    Microsoft Windows Validate Certificate

External References

Want To Schedule A Demo?

Request a Demo
  



Our Other Identity & Access Management Products