Upcoming March 2020 MS update may break LDAP authentication

Obas1 2020-02-12 20:34:41 UTC #1

Hello, I wanted to make everyone aware of a Microsoft patch due out next month that will default LDAP connections from LDAP to LDAPS. This may cause issues for anyone configured to use standard MS LDAP with any of the BigFix Applications, as well as applications from other vendors. Please review your LDAP configurations to make sure it is configured to use LDAPS (ports 636 or 3269).

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

karinvandenbussche 2020-02-25 09:30:50 UTC #2

Hi Obas1,

can you get me detailed info on how to make LDAPS work please?

Thanks!

JonL 2020-02-25 18:21:20 UTC #3

The most recent guidance I could find is this article:

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Basically Microsoft will be releasing updated policies to better ease the transition for customers to LDAPS which is tentatively scheduled for fall of 2020.

JasonWalker 2020-02-25 18:34:51 UTC #4

See https://help.hcltechsw.com/bigfix/9.5/platform/Platform/Console/c_adding_active_directory.html

I haven’t tested this myself in quite a while, but my recollection is that to explicitly use LDAP over SSL we have to configure it as a “Generic LDAP” server.

dyamamoto 2020-02-25 18:43:06 UTC #5

That’s exactly what I did yesterday to get LDAP over SSL configured.

I’ve got two LDAP entries showing up now in BigFix. All the operators are showing up in the original LDAP entry. I wasn’t able to find a clear way to migrate the operators over to the new LDAPS entry.

Does anyone have a suggestion?

wilsonchang 2020-02-25 20:42:57 UTC #6

I’ve had to do this many times during domain consolidation scenarios. Go into the BFEnterprise database and identify the LdapID to which you want to change (found in the LDAP_SERVERS table). Then go into the USERINFO table and update the appropriate user entries. Best to do this during off-peak hours. Also, I run besadmin /resignsecuritydata afterwards. If you’re not comfortable, then open a support case. At the very least, have a backup just in case.

dyamamoto 2020-02-25 20:56:39 UTC #7

Much appreciated. I’ll give this a try in lab.

JasonWalker 2020-02-29 14:05:07 UTC #8

MS article updated again (2/28): https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/ADV190023

Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

It is still highly advisable to use the steps in ther article and related links to convert any legacy LDAP connections to modern sercurity standards.

Donatella 2020-03-03 12:22:12 UTC #9

The certification with LDAP channel binding and LDAP signing is completed and no issue reported. We run it on BigFix Platform 9.5.14.