OS X Server: Packet encryption via SSL for Active Directory clients

Learn how to use SSL (Secure Sockets Layer) to encrypt packets between Active Directory clients and servers.

This article has been archived and is no longer updated by Apple.

Using the dsconfigad(8) command, you can allow, disable, or require packet encryption between Active Directory clients and servers.

If packet encryption is used, packets between an Active Directory client and server are encrypted and signed using Kerberos by default. To use SSL instead, issue this command in Terminal as an admin user:

dsconfigad -packetencrypt ssl

If the server uses an untrusted certificate, you'll need to add the root and any necessary intermediate certificates to the client's System keychain using Keychain Access. If you wish to disable verification of the certificate (which should only be done for testing), you can change this line:


to this:


in /etc/openldap/ldap.conf, on the client.

Learn more

For more information, you can view the dsconfigad(8) manual page by typing man dsconfigad in Terminal.

Published Date: