Impact for LDAP channel binding and LDAP signing requirements
03/26/2020 50 People found this article helpful 390,073 Views
Description
Microsoft announce that "LDAP Channel Binding and LDAP Signing Requirements" is scheduled coming Windows update on March 2020.
AD authentication for the SSLVPN user will be affected with its update and describe how to avoid its impact beforehand.
Cause
In an upcoming release in March 2020, Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Resolution
- SMA100 users who uses AD for authentication.
- SMA1000 users who uses AD basic and AD Advance.
- How to avoid the influences?
Both SMA100 & SMA1000 need to enable SSL/TLS feature for LDAP.
SMA100 series
- Navigate to Portals|Domains then select Active Directory domain.
- Enable Use SSL/TLS for LDAPS authentication.
NOTE: TCP 636 port needs to be opened /listening at Windows Server and also CA cert for LDAPS needs to be imported into the SMA appliance.
SMA1000 series
- Access Management Console and move to System Configuration |Authentication Servers.
- Click Edit for AD basic or AD advanced authentication servers.
- Enable Use SSL to secure directory server connection under Active directory over SSL.
- Save and pending change apply the configuration change.
NOTE:TCP 636 port needs to be opened /listening at Windows Server and also CA cert for LDAPS needs to be imported into the SMA appliance.
Related Articles
Categories
Was This Article Helpful?
YESNO