SMG cannot connect to Active Directory after applying Microsoft Security Update

book

Article ID: 185080

calendar_today

Updated On:

Products

Messaging Gateway

Issue/Introduction

Following application of the Microsoft security updates announced in "2020 LDAP channel binding and LDAP signing requirement for Windows", Messaging Gateway (SMG) is unable to make unencrypted LDAP connections to the Active Directory server.

If SMG has not been configured to use secure LDAP / LDAPS before applying the Microsoft security update, the following LDAP based features in SMG will no longer operate until SMG is configured to use LDAP for connections to the Active Directory server.

  • Recipent validation
  • Control Center authentication for LDAP based administrator accounts
  • End user Spam Quarantine login / access
  • Active directory based Policy Groups
  • LDAP based mail routing

Resolution

To configure Messaging Gateway to use LDAPS for Active Directory connections

  1. Go to Administration > Directory Integration
  2. Select the data source with the "Active Directory" directory type
  3. Under LDAP Server, click "Enable SSL" as shown below. The port will automatically switch to the LDAPS port of 636

  4. Click "Save"

Requirements for LDAPS connections

In order for SMG to establish a secure LDAP connection to Active Directory (AD), the following must be true

  • The AD server must be configured with a TLS certificate
  • That TLS certificate or its signing certificate must be added to the SMG CA Certficate list. Please see Certificate Settings - Certificate Authority for details.
  • The host name or IP address used for the LDAP Server host name must match a Subject Alternative Name (SAN) in the certificate presented by the Active Directory server
  • Any intermediate firewalls need to allow the SMG Control Center and Scanners to connect to port 636 on the Active Directory server

 

Attachments