Impact for LDAP channel binding and LDAP signing requirements
03/26/2020 18 5025
Microsoft announce that "LDAP Channel Binding and LDAP Signing Requirements" is scheduled coming Windows update on March 2020.
AD authentication for the SSLVPN user will be affected with its update and describe how to avoid its impact beforehand.
In an upcoming release in March 2020, Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations
- SMA100 users who uses AD for authentication.
- SMA1000 users who uses AD basic and AD Advance.
- How to avoid the influences?
Both SMA100 & SMA1000 need to enable SSL/TLS feature for LDAP.
- Navigate to Portals|Domains then select Active Directory domain.
- Enable Use SSL/TLS for LDAPS authentication.
NOTE: TCP 636 port needs to be opened /listening at Windows Server and also CA cert for LDAPS needs to be imported into the SMA appliance.
- Access Management Console and move to System Configuration |Authentication Servers.
- Click Edit for AD basic or AD advanced authentication servers.
- Enable Use SSL to secure directory server connection under Active directory over SSL.
- Save and pending change apply the configuration change.
NOTE:TCP 636 port needs to be opened /listening at Windows Server and also CA cert for LDAPS needs to be imported into the SMA appliance.