One does not simply LDAPS into Mordor: finding and using great tips from tech blogs

If there’s one thing I’ve taken for granted over the years, it’s Microsoft’s TechNet blog. It is just chock full o’ know-how, and always seems to be where my Google (or Bing, in my case) hunts end up.

Another thing I take for granted is being able to log in to stuff.  Recently, Technet proved quite enlightening while staring down a very frustrating LDAPS problem which was breaking some internal services. For those unfamiliar with LDAP, it stands for Lightweight Directory Access Protocol. (The S is for Secure.) It’s how third-party applications are able to use your existing Active Directory credentials to authenticate. LDAPS requires a bit more tuning than non-secure LDAP, as server/client/service certificates (certs) come into play. And boy howdy, do they ever. large bicycle lock and key

When deploying applications which rely solely on LDAPS to work, it’s important to get the certs right. This means the template on your CA needs to include the proper Authentication Purpose, the private key must be exportable in the request handling, the server account cert must be renewed and exported as a PFX, and that cert must be re-imported back into the DC’s ADDS service account.

Moral of the story?  Don’t dare miss a step.

What great tip have you found in a tech blog?