Upcoming March 2020 MS update may break LDAP authentication

Obas1 · February 12, 2020, 8:34pm

Hello, I wanted to make everyone aware of a Microsoft patch due out next month that will default LDAP connections from LDAP to LDAPS. This may cause issues for anyone configured to use standard MS LDAP with any of the BigFix Applications, as well as applications from other vendors. Please review your LDAP configurations to make sure it is configured to use LDAPS (ports 636 or 3269).

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

karinvandenbussche · February 25, 2020, 9:30am

Hi Obas1,

can you get me detailed info on how to make LDAPS work please?

Thanks!

JonL · February 25, 2020, 6:21pm

The most recent guidance I could find is this article:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Basically Microsoft will be releasing updated policies to better ease the transition for customers to LDAPS which is tentatively scheduled for fall of 2020.

JasonWalker · February 25, 2020, 6:34pm

See https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Console/c_adding_active_directory.html

I haven’t tested this myself in quite a while, but my recollection is that to explicitly use LDAP over SSL we have to configure it as a “Generic LDAP” server.

dyamamoto · February 25, 2020, 6:43pm

That’s exactly what I did yesterday to get LDAP over SSL configured.

I’ve got two LDAP entries showing up now in BigFix. All the operators are showing up in the original LDAP entry. I wasn’t able to find a clear way to migrate the operators over to the new LDAPS entry.

Does anyone have a suggestion?

wilsonchang · February 25, 2020, 8:42pm

I’ve had to do this many times during domain consolidation scenarios. Go into the BFEnterprise database and identify the LdapID to which you want to change (found in the LDAP_SERVERS table). Then go into the USERINFO table and update the appropriate user entries. Best to do this during off-peak hours. Also, I run besadmin /resignsecuritydata afterwards. If you’re not comfortable, then open a support case. At the very least, have a backup just in case.

dyamamoto · February 25, 2020, 8:56pm

Much appreciated. I’ll give this a try in lab.

JasonWalker · February 29, 2020, 2:05pm

MS article updated again (2/28): Security Update Guide - Microsoft Security Response Center

Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

It is still highly advisable to use the steps in ther article and related links to convert any legacy LDAP connections to modern sercurity standards.

Donatella · March 3, 2020, 12:22pm

The certification with LDAP channel binding and LDAP signing is completed and no issue reported. We run it on BigFix Platform 9.5.14.