How to change ports on AD Import Rules in order to address changes by Microsoft on disabling the use of LDAP connections
search cancel

How to change ports on AD Import Rules in order to address changes by Microsoft on disabling the use of LDAP connections

book

Article ID: 186524

calendar_today

Updated On:

Products

Client Management Suite IT Management Suite

Issue/Introduction

An LDAP change from Microsoft in March 2020 that could affect AD Import Rules was introduced.

Here is a little bit of background on what was reported to us in case you want to be aware of this Microsoft change:

Please note LDAP changes apply both to User-ID and Administrator Authentication if LDAP is the auth method (versus say RADIUS or TACACS. Applicable in cases where LDAP is being used).

In March 2020, Microsoft released a Windows Update which disabled the use of LDAP connections (cleartext over port 389) to/from Windows Server - only LDAPS (LDAP Secure) connections (over port 636) will be accepted by Windows Server after the March 2020 update. 

Any customers using LDAP Server Profiles (if they don't have the SSL/TLS checkbox checked), LDAP Group Mappings, or anything else which the PAN Firewall communicates over LDAP/port 389 to Windows Active Directory Servers could begin to fail after March 2020 if the customer does Windows Update on their Windows AD Servers.

Overall, customers will need to configure the Firewall and the Windows Server to work when communicating over LDAPS (over port 636 with a certificate)

Technically, the Windows Update will have the below effect:

"Windows Server will reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection."

This does not necessarily mean they must use LDAPS over port 636, but it must be LDAP secured by a certificate (which the easiest/most common/normal way to accomplish is to configure the Windows Server to use LDAPS 636), and along with firewalls and all of their other networking devices which use LDAP in their environment, must be configured to do so as well.

Environment

ITMS 8.x

Cause

A change was introduced by Microsoft in order to disable the use of LDAP connections (cleartext over port 389) to/from Windows Server - only LDAPS (LDAP Secure) connections (over port 636) will be accepted by Windows Server after March 2020 update.

You can see the customer visible info/more details here:

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows  

March 2020 LDAP channel binding and LDAP signing requirement for Windows

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023#ID0EUGAC 

Step by Step Guide to Setup LDAPS on Windows Server:

https://docs.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server  

Certificate requirements for using LDAPS on Windows Server:

https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority  

Note: This will affect customers using any of the below Windows Server versions in their environment:

Windows Server 2008 SP2
Windows Server 2008 R2 SP1
Windows Server 2012,
Windows Server 2012 R2,
Windows Server 2016,
Windows Server 2019

Resolution

An enhancement has been added to our process to address this change. It was made available with the ITMS 8.5 RU4 release and later.

Now AD Import rules can communicate with Active Directory using port 636 instead of only port 389.

  • ADNAME (without ports, so default 389 will be used)
  • ADNAME:389 (to force usage of default ldap port)
  • ADNAME:636 (to force usage of default ldaps port)



    Example:
    mydomain.com:636