教程:为 Azure Active Directory 域服务托管域配置安全 LDAPTutorial: Configure secure LDAP for an Azure Active Directory Domain Services managed domain

若要与 Azure Active Directory 域服务 (Azure AD DS) 托管域通信,需使用轻型目录访问协议 (LDAP)。To communicate with your Azure Active Directory Domain Services (Azure AD DS) managed domain, the Lightweight Directory Access Protocol (LDAP) is used. 默认情况下,LDAP 流量未加密,这对于许多环境而言是一种安全隐患。By default, the LDAP traffic isn't encrypted, which is a security concern for many environments.

借助 Azure AD DS,可将托管域配置为使用安全的轻型目录访问协议 (LDAPS)。With Azure AD DS, you can configure the managed domain to use secure Lightweight Directory Access Protocol (LDAPS). 使用安全 LDAP 时,流量将会加密。When you use secure LDAP, the traffic is encrypted. 安全 LDAP 也称为基于安全套接字层 (SSL)/传输层安全性 (TLS) 的 LDAP。Secure LDAP is also known as LDAP over Secure Sockets Layer (SSL) / Transport Layer Security (TLS).

本教程介绍如何为 Azure AD DS 托管域配置 LDAPS。This tutorial shows you how to configure LDAPS for an Azure AD DS managed domain.

在本教程中,你将了解如何执行以下操作:In this tutorial, you learn how to:

  • 创建用于 Azure AD DS 的数字证书Create a digital certificate for use with Azure AD DS
  • 为 Azure AD DS 启用安全 LDAPEnable secure LDAP for Azure AD DS
  • 配置在公共 Internet 上使用的安全 LDAPConfigure secure LDAP for use over the public internet
  • 为托管域绑定和测试安全 LDAPBind and test secure LDAP for a managed domain

如果还没有 Azure 订阅,可以在开始前创建一个帐户If you don't have an Azure subscription, create an account before you begin.

先决条件Prerequisites

需有以下资源和特权才能完成本教程:To complete this tutorial, you need the following resources and privileges:

登录到 Azure 门户Sign in to the Azure portal

本教程使用 Azure 门户为托管域配置安全 LDAP。In this tutorial, you configure secure LDAP for the managed domain using the Azure portal. 若要开始操作,请登录到 Azure 门户To get started, first sign in to the Azure portal.

创建安全 LDAP 的证书Create a certificate for secure LDAP

若要使用安全 LDAP,需通过一个数字证书来加密通信。To use secure LDAP, a digital certificate is used to encrypt the communication. 此数字证书将应用于托管域,可让 LDP.exe 等工具在查询数据时使用加密的安全通信。This digital certificate is applied to your managed domain, and lets tools like LDP.exe use secure encrypted communication when querying data. 可通过两种方式创建用于对托管域进行安全 LDAP 访问的证书:There are two ways to create a certificate for secure LDAP access to the managed domain:

  • 来自公共证书颁发机构 (CA) 或企业 CA 的证书。A certificate from a public certificate authority (CA) or an enterprise CA.
    • 如果组织从公共 CA 获取证书,请从该公共 CA 获取安全 LDAP 证书。If your organization gets certificates from a public CA, get the secure LDAP certificate from that public CA. 如果在组织中使用企业 CA,请从企业 CA 获取安全 LDAP 证书。If you use an enterprise CA in your organization, get the secure LDAP certificate from the enterprise CA.
    • 仅当在托管域中使用自定义 DNS 名称时,公共 CA 才适用。A public CA only works when you use a custom DNS name with your managed domain. 如果托管域的 DNS 域名以“.partner.onmschina.cn”结尾,则无法创建数字证书来保护与此默认域建立的连接。If the DNS domain name of your managed domain ends in .partner.onmschina.cn, you can't create a digital certificate to secure the connection with this default domain. Microsoft 拥有“.partner.onmschina.cn”域,因此,公共 CA 不会颁发证书。Microsoft owns the .partner.onmschina.cn domain, so a public CA won't issue a certificate. 在此方案中将创建自签名证书,并使用它来配置安全 LDAP。In this scenario, create a self-signed certificate and use that to configure secure LDAP.
  • 你自己创建的自签名证书。A self-signed certificate that you create yourself.
    • 此方法适用于测试目的,本教程将予以介绍。This approach is good for testing purposes, and is what this tutorial shows.

请求或创建的证书必须满足以下要求。The certificate you request or create must meet the following requirements. 如果你使用无效的证书启用安全 LDAP,托管域将遇到问题:Your managed domain encounters problems if you enable secure LDAP with an invalid certificate:

  • 受信任的颁发者 - 证书必须由使用安全 LDAP 连接到托管域的计算机所信任的颁发机构颁发。Trusted issuer - The certificate must be issued by an authority trusted by computers connecting to the managed domain using secure LDAP. 此颁发机构可以是公共 CA 或受计算机信任的企业 CA。This authority may be a public CA or an Enterprise CA trusted by these computers.
  • 生存期 - 证书必须至少在接下来的 3 到 6 个月内保持有效。Lifetime - The certificate must be valid for at least the next 3-6 months. 证书过期后,安全 LDAP 不再可以访问托管域。Secure LDAP access to your managed domain is disrupted when the certificate expires.
  • 使用者名称 - 证书上的使用者名称必须是你的托管域。Subject name - The subject name on the certificate must be your managed domain. 例如,如果域名为 aaddscontoso.com,则证书的使用者名称必须是 *.aaddscontoso.com。For example, if your domain is named aaddscontoso.com, the certificate's subject name must be *.aaddscontoso.com.
    • 证书的 DNS 名称或使用者备用名称必须是通配符证书,以确保安全 LDAP 在 Azure AD 域服务中正常工作。The DNS name or subject alternate name of the certificate must be a wildcard certificate to ensure the secure LDAP works properly with the Azure AD Domain Services. 域控制器使用随机名称;可以删除或添加域控制器来确保服务保持可用。Domain Controllers use random names and can be removed or added to ensure the service remains available.
  • 密钥用途 - 必须将证书配置用于数字签名和密钥加密。Key usage - The certificate must be configured for digital signatures and key encipherment.
  • 证书目的 - 证书必须对 TLS 服务器身份验证有效。Certificate purpose - The certificate must be valid for TLS server authentication.

有几种工具可用于创建自签名证书,如 OpenSSL、Keytool、MakeCert、New-SelfSignedCertificate cmdlet 等。There are several tools available to create self-signed certificate such as OpenSSL, Keytool, MakeCert, New-SelfSignedCertificate cmdlet, etc.

在本教程中,让我们使用 New-SelfSignedCertificate cmdlet 为安全 LDAP 创建自签名证书。In this tutorial, let's create a self-signed certificate for secure LDAP using the New-SelfSignedCertificate cmdlet.

管理员身份打开 PowerShell 窗口并运行以下命令。Open a PowerShell window as Administrator and run the following commands. $dnsName 变量替换为你自己的托管域使用的 DNS 名称,例如 aaddscontoso.comReplace the $dnsName variable with the DNS name used by your own managed domain, such as aaddscontoso.com:

# Define your own DNS name used by your managed domain
$dnsName="aaddscontoso.com"

# Get the current date to set a one-year expiration
$lifetime=Get-Date

# Create a self-signed certificate for use with Azure AD DS
New-SelfSignedCertificate -Subject *.$dnsName `
  -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `
  -Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName

以下示例输出显示证书已成功生成,并存储在本地证书存储 (LocalMachine\MY) 中:The following example output shows that the certificate was successfully generated and is stored in the local certificate store (LocalMachine\MY):

PS C:\WINDOWS\system32> New-SelfSignedCertificate -Subject *.$dnsName `
>>   -NotAfter $lifetime.AddDays(365) -KeyUsage DigitalSignature, KeyEncipherment `
>>   -Type SSLServerAuthentication -DnsName *.$dnsName, $dnsName.com

   PSParentPath: Microsoft.PowerShell.Security\Certificate::LocalMachine\MY

Thumbprint                                Subject
----------                                -------
959BD1531A1E674EB09E13BD8534B2C76A45B3E6  CN=aaddscontoso.com

了解和导出所需的证书Understand and export required certificates

若要使用安全 LDAP,需通过公钥基础结构 (PKI) 将网络通信加密。To use secure LDAP, the network traffic is encrypted using public key infrastructure (PKI).

  • 私钥将应用于托管域。A private key is applied to the managed domain.
    • 此私钥用于解密安全 LDAP 通信。This private key is used to decrypt the secure LDAP traffic. 只能将私钥应用到托管域,而不应将其广泛分发到客户端计算机。The private key should only be applied to the managed domain and not widely distributed to client computers.
    • 包含私钥的证书使用 .PFX 文件格式。A certificate that includes the private key uses the .PFX file format.
    • 证书的加密算法必须是 TripleDES-SHA1。The encryption algorithm for the certificate must be TripleDES-SHA1.
  • 公钥将应用到客户端计算机。A public key is applied to the client computers.
    • 此公钥用于加密安全 LDAP 通信。This public key is used to encrypt the secure LDAP traffic. 公钥可分发到客户端计算机。The public key can be distributed to client computers.
    • 不包含私钥的证书使用 .CER 文件格式。Certificates without the private key use the .CER file format.

这两个密钥(私钥和公钥)确保只有适当的计算机才能成功地相互通信。These two keys, the private and public keys, make sure that only the appropriate computers can successfully communicate with each other. 如果你使用公共 CA 或企业 CA,系统将为你颁发包含私钥的证书,该证书可应用到托管域。If you use a public CA or enterprise CA, you are issued with a certificate that includes the private key and can be applied to a managed domain. 客户端计算机应已知道并信任公钥。The public key should already be known and trusted by client computers.

在本教程中,你已创建一个包含私钥的自签名证书,因此,需要导出相应的私钥和公钥部分。In this tutorial, you created a self-signed certificate with the private key, so you need to export the appropriate private and public components.

导出 Azure AD DS 的证书Export a certificate for Azure AD DS

在托管域上使用上一步骤中创建的数字证书之前,请先将该证书导出到包含私钥的 .PFX 证书文件。Before you can use the digital certificate created in the previous step with your managed domain, export the certificate to a .PFX certificate file that includes the private key.

  1. 若要打开“运行”对话框,请按 Windows + R 键。To open the Run dialog, select the Windows + R keys.

  2. 在“运行”对话框中输入 mmc 并选择“确定”,打开 Microsoft 管理控制台 (MMC)。Open the Microsoft Management Console (MMC) by entering mmc in the Run dialog, then select OK.

  3. 然后,在“用户帐户控制”提示窗口中选择“是”,以管理员身份启动 MMC。On the User Account Control prompt, then select Yes to launch MMC as administrator.

  4. 在“文件”菜单中,选择“添加/删除管理单元...”From the File menu, select Add/Remove Snap-in...

  5. 在“证书管理单元”向导中,依次选择“计算机帐户”、“下一步”。In the Certificates snap-in wizard, choose Computer account, then select Next.

  6. 在“选择计算机”页上,依次选择“本地计算机: (运行此控制台的计算机)”、“完成”。On the Select Computer page, choose Local computer: (the computer this console is running on), then select Finish.

  7. 在“添加或删除管理单元”对话框中选择“确定”,将证书管理单元添加到 MMC。In the Add or Remove Snap-ins dialog, select OK to add the certificates snap-in to MMC.

  8. 在 MMC 窗口中,展开“控制台根节点”。In the MMC window, expand Console Root. 选择“证书(本地计算机)”,然后依次展开“个人”节点和“证书”节点。Select Certificates (Local Computer), then expand the Personal node, followed by the Certificates node.

    在 Microsoft 管理控制台中打开个人证书存储

  9. 此时会显示上一步骤中创建的自签名证书,例如 aaddscontoso.comThe self-signed certificate created in the previous step is shown, such as aaddscontoso.com. 右键单击此证书,然后选择“所有任务”>“导出...”。Right-select this certificate, then choose All Tasks > Export...

    在 Microsoft 管理控制台中导出证书

  10. 在“证书导出向导”中,选择“下一步”。 In the Certificate Export Wizard, select Next.

  11. 必须导出证书的私钥。The private key for the certificate must be exported. 如果导出的证书不包含私钥,为托管域启用安全 LDAP 的操作将会失败。If the private key is not included in the exported certificate, the action to enable secure LDAP for your managed domain fails.

    在“导出私钥”页上,依次选择“是,导出私钥”、“下一步”。On the Export Private Key page, choose Yes, export the private key, then select Next.

  12. 托管域仅支持包含私钥的 .PFX 证书文件格式。Managed domains only support the .PFX certificate file format that includes the private key. 不要将证书导出为不包含私钥的 .CER 证书文件格式。Don't export the certificate as .CER certificate file format without the private key.

    在“导出文件格式”页上,选择“个人信息交换 - PKCS #12 (.PFX)”作为导出证书的文件格式。On the Export File Format page, select Personal Information Exchange - PKCS #12 (.PFX) as the file format for the exported certificate. 选中“包括证书路径中的所有证书(如果可能)”框:Check the box for Include all certificates in the certification path if possible:

    选择以 PKCS 12 (.PFX) 文件格式导出证书的选项

  13. 由于此证书用于解密数据,因此应小心控制访问权限。As this certificate is used to decrypt data, you should carefully control access. 可以通过一个密码来保护证书的使用。A password can be used to protect the use of the certificate. 如果未设置正确的密码,则该证书不可应用到服务。Without the correct password, the certificate can't be applied to a service.

    在“安全性”页上,选择“密码”对应的选项来保护 .PFX 证书文件。On the Security page, choose the option for Password to protect the .PFX certificate file. 加密算法必须是 TripleDES-SHA1。The encryption algorithm must be TripleDES-SHA1. 输入并确认密码,然后选择“下一步”。Enter and confirm a password, then select Next. 下一部分将使用此密码来为托管域启用安全 LDAP。This password is used in the next section to enable secure LDAP for your managed domain.

  14. 在“要导出的文件”页上,指定要将证书导出到的文件名和位置,例如 C:\Users\accountname\azure-ad-ds.pfxOn the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds.pfx. 请记下 .PFX 文件的密码和位置,因为在后续步骤中将需要此信息。Keep a note of the password and location of the .PFX file as this information would be required in next steps.

  15. 在复查页上,选择“完成”以将证书导出到 .PFX 证书文件。On the review page, select Finish to export the certificate to a .PFX certificate file. 成功导出证书后,会显示确认对话框。A confirmation dialog is displayed when the certificate has been successfully exported.

  16. 请将 MMC 保持打开状态,以便在下一部分使用。Leave the MMC open for use in the following section.

为客户端计算机导出证书Export a certificate for client computers

客户端计算机必须信任安全 LDAP 证书的颁发者,才能成功使用 LDAPS 连接到托管域。Client computers must trust the issuer of the secure LDAP certificate to be able to connect successfully to the managed domain using LDAPS. 客户端计算机需要使用一个证书才能成功加密 Azure AD DS 解密的数据。The client computers need a certificate to successfully encrypt data that is decrypted by Azure AD DS. 如果你使用公共 CA,计算机应会自动信任这些证书颁发者,并获得相应的证书。If you use a public CA, the computer should automatically trust these certificate issuers and have a corresponding certificate.

本教程使用自签名证书,并生成一个包含上一步骤中创建的私钥的证书。In this tutorial you use a self-signed certificate, and generated a certificate that includes the private key in the previous step. 现在,让我们导出该自签名证书,然后将其安装到客户端计算机上的受信任证书存储中。Now let's export and then install the self-signed certificate into the trusted certificate store on the client computer:

  1. 返回到“证书(本地计算机)”>“个人”>“证书”存储的 MMC。Go back to the MMC for Certificates (Local Computer) > Personal > Certificates store. 此时会显示上一步骤中创建的自签名证书,例如 aaddscontoso.comThe self-signed certificate created in a previous step is shown, such as aaddscontoso.com. 右键单击此证书,然后选择“所有任务”>“导出...”。Right-select this certificate, then choose All Tasks > Export...

  2. 在“证书导出向导”中,选择“下一步”。In the Certificate Export Wizard, select Next.

  3. 由于不需要对客户端使用私钥,因此请在“导出私钥”页上,依次选择“否,不导出私钥”、“下一步”。As you don't need the private key for clients, on the Export Private Key page choose No, do not export the private key, then select Next.

  4. 在“导出文件格式”页上,选择“Base-64 编码 X.509 (.CER)”作为导出证书的文件格式:On the Export File Format page, select Base-64 encoded X.509 (.CER) as the file format for the exported certificate:

    选择以 Base-64 编码 X.509 (.CER) 文件格式导出证书的选项

  5. 在“要导出的文件”页上,指定要将证书导出到的文件名和位置,例如 C:\Users\accountname\azure-ad-ds-client.cerOn the File to Export page, specify the file name and location where you'd like to export the certificate, such as C:\Users\accountname\azure-ad-ds-client.cer.

  6. 在复查页上,选择“完成”以将证书导出到 .CER 证书文件。On the review page, select Finish to export the certificate to a .CER certificate file. 成功导出证书后,会显示确认对话框。A confirmation dialog is displayed when the certificate has been successfully exported.

现在,可将 .CER 证书文件分发到需要信任与托管域建立的安全 LDAP 连接的客户端计算机。The .CER certificate file can now be distributed to client computers that need to trust the secure LDAP connection to the managed domain. 让我们在本地计算机上安装证书。Let's install the certificate on the local computer.

  1. 打开文件资源管理器并浏览到 .CER 证书文件的保存位置,例如 C:\Users\accountname\azure-ad-ds-client.cerOpen File Explorer and browse to the location where you saved the .CER certificate file, such as C:\Users\accountname\azure-ad-ds-client.cer.

  2. 右键单击该 .CER 证书文件,然后选择“安装证书”。Right-select the .CER certificate file, then choose Install Certificate.

  3. 在“证书导入向导”中,选择将证书存储在“本地计算机”中,然后选择“下一步”:In the Certificate Import Wizard, choose to store the certificate in the Local machine, then select Next:

    选择将证书导入到本地计算机存储的选项

  4. 出现提示时,请选择“是”以允许计算机进行更改。When prompted, choose Yes to allow the computer to make changes.

  5. 依次选择“基于证书类型自动选择证书存储”、“下一步”。Choose to Automatically select the certificate store based on the type of certificate, then select Next.

  6. 在复查页上,选择“完成”以导入 .CER 证书。On the review page, select Finish to import the .CER certificate. 成功导入证书后,会显示确认对话框。file A confirmation dialog is displayed when the certificate has been successfully imported.

为 Azure AD DS 启用安全 LDAPEnable secure LDAP for Azure AD DS

创建并导出包含私钥的数字证书,并将客户端计算机设置为信任连接后,接下来请在托管域上启用安全 LDAP。With a digital certificate created and exported that includes the private key, and the client computer set to trust the connection, now enable secure LDAP on your managed domain. 若要在托管域上启用安全 LDAP,请执行以下配置步骤:To enable secure LDAP on a managed domain, perform the following configuration steps:

  1. Azure 门户上的“搜索资源”框中输入“域服务”。In the Azure portal, enter domain services in the Search resources box. 从搜索结果中“选择 Azure AD 域服务”。Select Azure AD Domain Services from the search result.

  2. 选择你的托管域,例如 aaddscontoso.comChoose your managed domain, such as aaddscontoso.com.

  3. 在 Azure AD DS 窗口的左侧,选择“安全 LDAP”。On the left-hand side of the Azure AD DS window, choose Secure LDAP.

  4. 默认情况下,已禁用对托管域的安全 LDAP 访问。By default, secure LDAP access to your managed domain is disabled. 将“安全 LDAP”切换为“启用” 。Toggle Secure LDAP to Enable.

  5. 默认情况下,已禁用通过 Internet 对托管域的安全 LDAP 访问。Secure LDAP access to your managed domain over the internet is disabled by default. 启用公共安全 LDAP 访问后,域很容易受到来自 Internet 的密码暴力破解攻击。When you enable public secure LDAP access, your domain is susceptible to password brute force attacks over the internet. 下一步骤将配置一个网络安全组,以仅限所需的源 IP 地址范围进行访问。In the next step, a network security group is configured to lock down access to only the required source IP address ranges.

    将“允许通过 Internet 进行安全 LDAP 访问”切换为“启用” 。Toggle Allow secure LDAP access over the internet to Enable.

  6. 选择“包含安全 LDAP 证书的 .PFX 文件”旁边的文件夹图标。Select the folder icon next to .PFX file with secure LDAP certificate. 浏览到 .PFX 文件的路径,然后选择上一步骤中创建的包含私钥的证书。Browse to the path of the .PFX file, then select the certificate created in a previous step that includes the private key.

    重要

    如前面的证书要求部分中所述,不能在默认的“.partner.onmschina.cn”域中使用来自公共 CA 的证书。As noted in the previous section on certificate requirements, you can't use a certificate from a public CA with the default .partner.onmschina.cn domain. Microsoft 拥有“.partner.onmschina.cn”域,因此,公共 CA 不会颁发证书。Microsoft owns the .partner.onmschina.cn domain, so a public CA won't issue a certificate.

    请确保证书采用适当的格式。Make sure your certificate is in the appropriate format. 否则,在启用安全 LDAP 时,Azure 平台会生成证书验证错误。If it's not, the Azure platform generates certificate validation errors when you enable secure LDAP.

  7. 输入在上一步骤中将证书导出到 .PFX 文件时设置的用于解密 .PFX 文件的密码Enter the Password to decrypt .PFX file set in a previous step when the certificate was exported to a .PFX file.

  8. 选择“保存”以启用安全 LDAP。Select Save to enable secure LDAP.

    在 Azure 门户中为托管域启用安全 LDAP

此时会显示一条通知,指出正在为托管域配置安全 LDAP。A notification is displayed that secure LDAP is being configured for the managed domain. 在完成此操作之前,无法修改托管域的其他设置。You can't modify other settings for the managed domain until this operation is complete.

为托管域启用安全 LDAP 需要花费几分钟时间。It takes a few minutes to enable secure LDAP for your managed domain. 如果提供的安全 LDAP 证书不符合所需的条件,为托管域启用安全 LDAP 的操作将会失败。If the secure LDAP certificate you provide doesn't match the required criteria, the action to enable secure LDAP for the managed domain fails.

失败的一些常见原因包括域名不正确、证书的加密算法不是 TripleDES-SHA1 或者证书即将过期或已过期。Some common reasons for failure are if the domain name is incorrect, the encryption algorithm for the certificate isn't TripleDES-SHA1, or the certificate expires soon or has already expired. 可以使用有效的参数重新创建证书,然后使用此更新的证书启用安全 LDAP。You can re-create the certificate with valid parameters, then enable secure LDAP using this updated certificate.

锁定通过 Internet 进行的安全 LDAP 访问Lock down secure LDAP access over the internet

启用通过 Internet 对托管域进行安全 LDAP 访问时,会对安全造成威胁。When you enable secure LDAP access over the internet to your managed domain, it creates a security threat. 可在 Internet 上通过 TCP 端口 636 访问托管域。The managed domain is reachable from the internet on TCP port 636. 建议仅限环境中的特定已知 IP 地址访问托管域。It's recommended to restrict access to the managed domain to specific known IP addresses for your environment. 可以使用 Azure 网络安全组规则来限制对安全 LDAP 的访问。An Azure network security group rule can be used to limit access to secure LDAP.

让我们创建一个规则,以允许从指定的一组 IP 地址通过 TCP 端口 636 进行入站安全 LDAP 访问。Let's create a rule to allow inbound secure LDAP access over TCP port 636 from a specified set of IP addresses. 低优先级的默认“全部拒绝”规则将应用到来自 Internet 的所有其他入站流量,因此只有指定的地址才能使用安全 LDAP 访问托管域。A default DenyAll rule with a lower priority applies to all other inbound traffic from the internet, so only the specified addresses can reach your managed domain using secure LDAP.

  1. 在 Azure 门户上的左侧导航栏中选择“资源组”。In the Azure portal, select Resource groups on the left-hand side navigation.

  2. 选择资源组(例如 myResourceGroup),然后选择网络安全组(例如 aaads-nsg) 。Choose your resource group, such as myResourceGroup, then select your network security group, such as aaads-nsg.

  3. 此时会显示现有的入站和出站安全规则列表。The list of existing inbound and outbound security rules are displayed. 在网络安全组窗口的左侧,选择“设置”>“入站安全规则”。On the left-hand side of the network security group windows, choose Settings > Inbound security rules.

  4. 选择“添加”,然后创建一个允许 TCP 端口 636 的规则。Select Add, then create a rule to allow TCP port 636. 为提高安全性,请选择“IP 地址”作为源,然后为组织指定自己的有效 IP 地址或范围。For improved security, choose the source as IP Addresses and then specify your own valid IP address or range for your organization.

    设置Setting Value
    Source IP 地址IP Addresses
    源 IP 地址/CIDR 范围Source IP addresses / CIDR ranges 环境的有效 IP 地址或范围A valid IP address or range for your environment
    源端口范围Source port ranges *
    目标Destination AnyAny
    目标端口范围Destination port ranges 636636
    协议Protocol TCPTCP
    操作Action AllowAllow
    优先度Priority 401401
    名称Name AllowLDAPSAllowLDAPS
  5. 准备就绪后,选择“添加”以保存并应用该规则。When ready, select Add to save and apply the rule.

    创建用于保护通过 Internet 进行的 LDAPS 访问的网络安全组规则

为外部访问配置 DNS 区域Configure DNS zone for external access

启用通过 Internet 的安全 LDAP 访问后,请更新 DNS 区域,使客户端计算机能够找到此托管域。With secure LDAP access enabled over the internet, update the DNS zone so that client computers can find this managed domain. “安全 LDAP 外部 IP 地址”列在托管域的“属性”选项卡上:The Secure LDAP external IP address is listed on the Properties tab for your managed domain:

在 Azure 门户中查看托管域的安全 LDAP 外部 IP 地址

配置外部 DNS 提供程序,以创建一条可解析为此外部 IP 地址的主机记录(例如 ldaps)。Configure your external DNS provider to create a host record, such as ldaps, to resolve to this external IP address. 若要先在计算机本地进行测试,可在 Windows hosts 文件中创建一个条目。To test locally on your machine first, you can create an entry in the Windows hosts file. 若要成功编辑本地计算机上的 hosts 文件,请以管理员身份打开“记事本”,然后打开文件 C:\Windows\System32\drivers\etc\hostsTo successfully edit the hosts file on your local machine, open Notepad as an administrator, then open the file C:\Windows\System32\drivers\etc\hosts

外部 DNS 提供程序或本地 hosts 文件中的以下示例 DNS 条目将 ldaps.aaddscontoso.com 的流量解析为外部 IP 地址 168.62.205.103The following example DNS entry, either with your external DNS provider or in the local hosts file, resolves traffic for ldaps.aaddscontoso.com to the external IP address of 168.62.205.103:

168.62.205.103    ldaps.aaddscontoso.com

测试对托管域的查询Test queries to the managed domain

若要连接并绑定到托管域并通过 LDAP 进行搜索,请使用 LDP.exe 工具。To connect and bind to your managed domain and search over LDAP, you use the LDP.exe tool. 此工具已包含在远程服务器管理工具 (RSAT) 包中。This tool is included in the Remote Server Administration Tools (RSAT) package. 有关详细信息,请参阅安装远程服务器管理工具For more information, see install Remote Server Administration Tools.

  1. 打开 LDP.exe 并连接到托管域。Open LDP.exe and connect to the managed domain. 依次选择“连接”、“连接...”。Select Connection, then choose Connect....
  2. 输入在上一步骤中为托管域创建的安全 LDAP DNS 域名,例如 ldaps.aaddscontoso.comEnter the secure LDAP DNS domain name of your managed domain created in the previous step, such as ldaps.aaddscontoso.com. 若要使用安全 LDAP,请将“端口”设置为 636,然后选中“SSL”框。To use secure LDAP, set Port to 636, then check the box for SSL.
  3. 选择“确定”连接到托管域。Select OK to connect to the managed domain.

接下来,绑定到托管域。Next, bind to your managed domain. 如果你在托管域上禁用了 NTLM 密码哈希同步,则用户(和服务帐户)将无法执行 LDAP 简单绑定。Users (and service accounts) can't perform LDAP simple binds if you have disabled NTLM password hash synchronization on your managed domain. 有关禁用 NTLM 密码哈希同步的详细信息,请参阅保护托管域For more information on disabling NTLM password hash synchronization, see Secure your managed domain.

  1. 选择“连接”菜单选项,然后选择“绑定...”。Select the Connection menu option, then choose Bind....
  2. 提供属于托管域的用户帐户的凭据。Provide the credentials of a user account that belongs to the managed domain. 输入用户帐户的密码,然后输入域,例如 aaddscontoso.comEnter the user account's password, then enter your domain, such as aaddscontoso.com.
  3. 对于“绑定类型”,请选择“使用凭据绑定”选项。For Bind type, choose the option for Bind with credentials.
  4. 选择“确定”绑定到托管域。Select OK to bind to your managed domain.

若要查看托管域中存储的对象:To see of the objects stored in your managed domain:

  1. 选择“视图”菜单选项,然后选择“树”。Select the View menu option, and then choose Tree.

  2. 将“基础 DN”字段保留空白,然后选择“确定”。Leave the BaseDN field blank, then select OK.

  3. 选择一个容器(例如“AADDC 用户”),然后右键单击该容器并选择“搜索”。Choose a container, such as AADDC Users, then right-select the container and choose Search.

  4. 保留预先填充的字段设置,然后选择“运行”。Leave the pre-populated fields set, then select Run. 查询结果显示在右侧窗口中,如以下示例输出所示:The results of the query are displayed in the right-hand window, as shown in the following example output:

    使用 LDP.exe 搜索托管域中的对象

若要直接查询特定的容器,可以通过“视图”>“树”菜单指定一个“基础 DN”,例如“OU=AADDC Users,DC=AADDSCONTOSO,DC=COM”或“OU=AADDC Computers,DC=AADDSCONTOSO,DC=COM”。To directly query a specific container, from the View > Tree menu, you can specify a BaseDN such as OU=AADDC Users,DC=AADDSCONTOSO,DC=COM or OU=AADDC Computers,DC=AADDSCONTOSO,DC=COM. 有关如何格式化和创建查询的详细信息,请参阅 LDAP 查询基础知识For more information on how to format and create queries, see LDAP query basics.

清理资源Clean up resources

如果你在本教程中将一个 DNS 条目添加到了计算机的本地 hosts 文件以测试连接,请删除此条目,并在 DNS 区域中添加一条正式的记录。If you added a DNS entry to the local hosts file of your computer to test connectivity for this tutorial, remove this entry and add a formal record in your DNS zone. 若要从本地 hosts 文件中删除该条目,请完成以下步骤:To remove the entry from the local hosts file, complete the following steps:

  1. 在本地计算机上,以管理员身份打开“记事本”On your local machine, open Notepad as an administrator
  2. 浏览到并打开文件 C:\Windows\System32\drivers\etc\hostsBrowse to and open the file C:\Windows\System32\drivers\etc\hosts
  3. 删除所添加的记录对应的行,例如 168.62.205.103 ldaps.aaddscontoso.comDelete the line for the record you added, such as 168.62.205.103 ldaps.aaddscontoso.com

后续步骤Next steps

在本教程中,你了解了如何执行以下操作:In this tutorial, you learned how to:

  • 创建用于 Azure AD DS 的数字证书Create a digital certificate for use with Azure AD DS
  • 为 Azure AD DS 启用安全 LDAPEnable secure LDAP for Azure AD DS
  • 配置在公共 Internet 上使用的安全 LDAPConfigure secure LDAP for use over the public internet
  • 为托管域绑定和测试安全 LDAPBind and test secure LDAP for a managed domain