This article walks you through how to configure a secure connection between your VIP Enterprise Gateway and your Windows Active Directory server.
After installing the VIP Enterprise Gateway, setting up a user store is required to authenticate users to Active Directory for first-factor authentications. Symantec recommends using LDAPS as a best practice to encrypt communications between the VIP Enterprise Gateway and AD. (See the VIP Enterprise Gateway Installation & Configuration guide for information on adding a user store).
If you are using a private Certificate Authority (i.e. Enterprise Root CA) in your environment, install the Root CA and Intermediate CA certificates in the “Trusted CA Store” on each VIP Enterprise Gateway instance.
If you do not have a private CA in your environment, export the Active Directory certificate, then install the certificate in the “Trusted CA Store” within VIP Enterprise Gateway.
Note: An Active Directory certificate is automatically created when you install and configure AD DS on your Windows server. The certificate is created even if you do not have a private CA in your environment.
The AD Certificate to be used for LDAPS must satisfy the following 3 requirements (source: Microsoft MSDN):
• The Certificate must be valid for the purpose of Server Authentication. This means that it must also contain the Server Authentication object identifier (OID): 126.96.36.199.188.8.131.52.1
• The Subject name or the first name in the Subject Alternative Name (SAN) must match the Fully Qualified Domain Name (FQDN) of the host machine or CA server.
• The host machine account must have access to the private key.
With a private CA
Without a private CA