Setting up TLS-Secured LDAP Connection from Sonicwall to DC

For whatever reason, some Sonicwalls will not communicate with some Domain Controllers by simply selecting “Use TLS”. I’ve had some work just fine with this (and using the StartTLS verb), while everyone once in a while I see errors like “LDAP Communication Error” or “Error initializing SSL/TLS, data 0, v1db1:”.

I’m sure if I had more time I’d know the root cause, but here’s the fix.

  1. On the Server, install the Active Directory Certificate Authority role and just the IIS Management Console (no need for the IIS service itself).
    1. On a typical DC the defaults for the AD CA setup are fine – store the authority in AD.
    2. Again, just install the IIS Console – no need to install IIS and add attack vectors!
  2. Open the Certificates console by opening MMC.EXE, going to File -> Add/Remove Snapin and selecting Certificates. You’ll want the Local Machine’s Computer store.
  3. Expand Trusted Root CAs and export the newly created CA certificate for your domain.
    1. Right-click the Certificate and Export.
    2. Save to a file on the desktop, etc – use the .P7B format to make the Sonicwall happy
    3. I selected the “Include all Certificates in Chain” option.
  4. Open the IIS Console and click the server name. There will be only one or two options, one will be for Server Certificates. Double-click that to open.
  5. Click the Create Domain Certificate link on the right. Enter information for a Sonicwall-specific certificate. Select Next and select the domain’s certificate authority.
  6. Once created, go back into the Certificates console and right-click the certificate, exporting the certificate with the private key. You’ll need to set a password to protect this key (it’s temporary since you’ll want to delete this file at the end of this process)
  7. You now have the CA Certificate and a signed certificate for the Sonicwall using that CA.
  8. Log into the Sonicwall. Go to System -> Certificates.
  9. Click the Import button, select the option to import a CA. Select the file created above and import the CA.
  10. Click the Import button again. Select the option to import a certificate. Enter the password used above to protect it, as well as a “Friendly Name” and the certificate file itself.
  11. Confirm both the CA and the certificate show up in the Sonicwall’s page.
    Important! Make sure the certificate shows a Validated status of Yes – otherwise it won’t be selectable in the next steps.
  12. Go to Users -> Settings. Click the Configure LDAP button. You’ll want to use Port 636, and you’ll want to select the Use TLS (SSL) checkbox. Select the newly imported certificate.
  13. Click Apply to save your changes and then check that you can still authenticate using LDAP.
  14. If you have issues, you might want to check your DC’s GPO/Local GPO for LDAP signing.