In this article all the necessary steps to configure AirID Virtual are explained.
Setting up LDAPS
AirID Virtual uses LDAP to securely connect to your Active Directory. To be sure, that we a really communicating with your Active Directory and not one supplied by a possible attacker you need to upload the certificate your Active Directory will be using during the communication. Only the Active Directory that is in possession of the certificate you provide is allowed to be used with AirID Virtual. Microsoft does recommend the use of LDAPS as well in their latest security guidelines.
To enable use of LDAPS you need to create a certificate that is used by your Active Directory. To do so you can use OpenSSL. You can download a Windows version from the OpenSSL Wiki.
Create a new file with the following contents. Please replace the values in <> with the correct values:
[req] distinguished_name = req_distinguished_name x509_extensions = v3_req prompt = no [req_distinguished_name] C = <ISO-Lettercode (i.e. DE)> ST = <State> L = <City> O = <Company Name> OU = <Organizational Unit> CN = <DNS hostname of your Active Directory> [v3_req] keyUsage = keyEncipherment, dataEncipherment extendedKeyUsage = serverAuth subjectAltName = @alt_names [alt_names] DNS.1 = <DNS Fully Qualified Domain Name of your Active Directory> DNS.2 = <Alternative hostname (remove this line if there is none)> IP.1 = <External IP address of the host> IP.2 = <External IP address of the host/ IP-DNS.1>
To create the key and the certificate execute the following command:
openssl req -x509 -nodes -days 730 -newkey rsa:2048 -keyout key.pem -out cert.pem -config req.conf -extensions v3_req
Create a p12 file from the two files created in the last step:
openssl pkcs12 -export -out ldaps.p12 -in cert.pem -inkey key.pem -passout pass:<Enter Pwd>
The newly exported p12 file needs to be imported to your Windows Server’s certificate store. To do so open a shell with administrative rights and open the management console by starting “mmc”. Click on File → Add Snap-In
Select “Certificates” and click “Add”
Choose “Service Account”
Select “Local Computer” and click on “Next”
In the Certificates Snap-In window select “Active Directory Domain Services” and click “Finish”. Close the following window with “OK” as well.
Expand the certificate tree and right click on “NTDS\Personal”. Then choose “All Tasks” and “Import”
Browse to the file created in the previous step after confirming the initial dialog with “Next”.
In the following screen enter the password you defined in the command line call above. Please make sure that the checkboxes “Include all extended properties” and “Mark this key as exportable” are checked.
Keep the default settings in the following screen and finish the import wizard.
Creating a read-only user
In order to communicate successfully you need to create a read-only user in your Active Directory.
Creating administrative and user groups
It is necessary to create two groups in the AD.
AMA-Admin
AMA-User
These groups are to be assigned to all AD users who want to useAirID Virtual in the future. For
administrative user - "AMA-Admin" and
the end user without administrative rights - "AMA-User".
Adding user information
Users must have an e-mail address and a mobile phone number, which are entered in the corresponding fields of the AD standard scheme. If a user does not have the corresponding entries, he/she cannot be sent an invitation e-mail and further will not be able to useAirID Virtual.