Impact for LDAP channel binding and LDAP signing requirements

Description

Microsoft announce that "LDAP Channel Binding and LDAP Signing Requirements" is scheduled coming Windows update on March 2020.
AD authentication for the SSLVPN user will be affected with its update and describe how to avoid its impact beforehand.

Cause

In an upcoming release in March 2020, Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Resolution

  • Who is affected?
  1. SMA100 users who uses AD for authentication.
  2. SMA1000 users who uses AD basic and AD Advance.
  • How to avoid the influences?

    Both SMA100 & SMA1000 need to enable SSL/TLS feature for LDAP.

 SMA100 series

  1. Navigate to Portals|Domains then select Active Directory domain.
  2. Enable  Use SSL/TLS for LDAPS authentication.

    NOTE: TCP 636 port needs to be opened /listening at Windows Server and also CA cert for LDAPS needs to be imported into the SMA appliance.

SMA1000 series

  1. Access Management Console and move to System Configuration |Authentication Servers.
  2. Click Edit for AD basic or AD advanced authentication servers.
  3. Enable Use SSL to secure directory server connection under  Active directory over SSL.
  4. Save and pending change apply the configuration change.

    NOTE:TCP 636 port needs to be opened /listening at Windows Server and also CA cert for LDAPS needs to be imported into the SMA appliance.

Related Articles

  • SMA100 End of Support No-Charge Replacement FAQ
    Read More
  • SMA1000: Post upgrade to 12.5.0 on AWS and Azure, we show the error Could not retrieve the DNS settings once we log in to AMC/CMS console
    Read More
  • Firmware version required to upgrade to version 12.5.0.
    Read More

Categories

Secure Mobile Access
SMA 100 Series
Secure Mobile Access
SMA 1000 Series
not finding your answers?
Ask the Community