Microsoft Security Update (January 2020)

book

Article ID: 141349

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

Question about any impact on LDAP connection to Active Directory by applying Microsoft Security Update (January 2020).

Active Directory is used as the CA Single Sign-On user store, and it is used in the following settings.
- Namespace: LDAP
- Secure connection: Checked-ON

According to Microsoft announcement, the LDAP connection to AD will be changed in the 2020 January Update.
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

This information states the following effects:
(A) LDAP channel binding (only when using LDAPS)
-LDAP clients that cannot provide CBT (channel binding tokens) may fail to connect
(B) Impact by enabling mandatory LDAP signing
- LDAP bind that is not signed by SASL (Negotiate, Kerberos, NTLM, or digest) cannot be used.
- LDAP simple bind that runs over clear text (unencrypted SSL or TLS) connections are not available

Since LDAP is used for the namespace, the connection between CA Single Sign-On and Active Directory is LDAPS. 

Let us know about the impact on the CA Single Sign-On product. (For example, the effect of failing to connect to the user store)
Also, if impact exists, let us know the resolution as well. (e.g. disabling them in Registry.)

Environment

Release : 12.8

Component : SITEMINDER -Policy Server

OS: Windows Server 2016

Resolution

(A) LDAP channel binding (only when using LDAPS)
- No performance degradation and also a small performance improvement has been observed when compare Without Registry and With Registry(LdapEnforceChannelBinding -0,1,2) setting in the setup
- No issues observed during connectivity with Policy store and User store while using this registry on AD machine.

(B) Impact by enabling mandatory LDAP signing
- Policy store and User store are working on SSL only.
- If connecting on Non-SSL port (such as 389), then am getting a message as “Strong Authentication Required”.
Smps.log: ...[SmDsLdapConnMgr.cpp:917][ERROR][sm-Ldap-01370] SmDsLdapConnMgr Bind. Server NN.NN.NN.NN : 389. Error 8-Strong authentication reqd
- When LDAP signing is enabled on AD machine, Policy Store, User store should connect on SSL port only.

Additional Information

MS documentation related to ADV190023.
(1) 2020 LDAP channel binding and LDAP signing requirement for Windows
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
(2) Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
(3) How to enable LDAP signing in Windows Server 2008
https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008