Active Directory requirements for WSTEP enrollment

Each Windows Active Directory forest must meet the following requirements.

LDAPS TLS certificate requirements for Active Directory domain controllers

In each Active Directory domain controller, the TLS certificate for LDAPS must meet the requirements described in:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/enable-ldap-over-ssl-3rd-certification-authority#requirements-for-an-ldaps-certificate

Specifically, this certificate:

  • Must be stored in the NT Directory Services (NTDS) personal certificate store.

  • Must contain the FQDN (Fully Qualified Domain Name) of the Domain Controller as a DNS SAN (Subject Alternative Name).

  • Must use the RSA algorithm.

  • Must include Server Authentication (1.3.6.1.5.5.7.3.1) as Enhanced Key Usage.

SRV record requirements for Active Directory LDAP services

Service Location (SRV) resource records for the LDAP Service must be valid for all domains in the forest. Verify this requirement as explained at:

https://learn.microsoft.com/en-us/troubleshoot/windows-server/networking/verify-srv-dns-records-have-been-created

SRV records do not require extra configuration steps as Active Directory automatically creates and updates them.