Documentation for Crowd 1.1. Documentation for other versions of Crowd is available too.

You can configure Crowd to work with Microsoft Active Directory by setting up an LDAP connector in Crowd. If you wish to use Crowd to add principals or change passwords in Active Directory, you will need to install an SSL certificated generated by your Active Directory server and then install the certificate into your JVM keystore.

Prerequisites

Make sure that you have the following installed on your Windows server (domain controller):

Required Component

Description

Windows 2000 Service Pack 2

Required if you are using Windows 2000

Internet Information Services (IIS)

This is required before you can install Windows Certificate Services.

Windows Certificate Services

This installs a certification authority (CA) which is used to issue certificates.

Windows 2000 High Encryption Pack (128-bit)

Required if you are using Windows 2000. Provides the highest available encryption level (128-bit).

Step 1. Install the Microsoft Certificate Services

  1. Using the Active Directory Control Panel – Add/Remove Programs administration tool:
    • Select 'Add/Remove Windows Components' to start the Windows Components Wizard.
    • Place check marks next to 'Certificate Services' and 'Internet Information Services (IIS)'.
    • Click 'Next>'.




  2. Select 'Enterprise root CA' Certificate Authority Type and click 'Next>'.



  3. Enter a 'CA name' (server name) and click 'Next>'.



  4. Leave the 'Data Storage Locations' as default and click 'Next>'.



  5. The software installation process is complete. Click 'Finish'.



  6. Click 'OK' to restart IIS.



  7. You will now need to restart your Microsoft Active Directory Server.

Step 2. Obtain the Server Certificate

The steps above describe how to install the certification authority (CA) on your Microsoft Active Directory server. Next, you will need to add the Microsoft Active Directory server's SSL certificate to the list of accepted certificates used by the JDK that runs your Crowd server.

The Active Directory certificate is automatically generated and placed in root of the C:\ drive, matching a file format similar to the tree structure of your Active Directory server, e.g. c:\crowd-ad2000.ad01.crowd.atlassian.com_ad01.crt.

You can also export the certificate by executing this command on the Active Directory server:

certutil -ca.cert crowd-client.crt

Step 3. Import the Server Certificate

Now you need to import the Active Directory certificate to the list of accepted certificates in your JDK runtime environment.

  • Assuming your JDK is installed here C:\Program Files\Java\jdk1.5.0_12, you will need to run the following command:
    C:\Program Files\Java\jdk1.5.0_12\keytool -import -alias crowd_crt -file crowd-client.crt -keystore "C:\Program Files\Java\jdk1.5.0_12\jre\lib\security\cacerts"
  • The keytool import will prompt you for a password during import. The default keystore password is changeit.
  • When prompted Trust this certificate? [no]: enter 'yes' to confirm the Active Directory Server key import: 
    Enter keystore password:  changeit
Owner: CN=ad01, C=US
Issuer: CN=ad01, C=US
Serial number: 15563d6677a4e9e4582d8a84be683f9
Valid from: Tue Aug 21 01:10:46 ACT 2007 until: Tue Aug 21 01:13:59 ACT 2012
Certificate fingerprints:
         MD5:  D6:56:F0:23:16:E3:62:2C:6F:8A:0A:37:30:A1:84:BE
         SHA1: 73:73:4E:A6:A0:D1:4E:F4:F3:CD:CE:BE:96:80:35:D2:B4:7C:79:C1
Trust this certificate? [no]:  yes
Certificate was added to keystore

You may now use the Secure SSL option when connecting to an Active Directory server with Crowd's built in connectors.

Related Topics

2.2.2.1 Microsoft Active Directory





Except where otherwise noted, content in this space is licensed under a Creative Commons Attribution 2.5 Australia License.