How to change ports on AD Import Rules in order to address changes by Microsoft on disabling the use of LDAP connections

book

Article ID: 186524

calendar_today

Updated On:

Products

Management Platform (Formerly known as Notification Server)

Issue/Introduction

A new change from Microsoft and LDAP is coming up in March that could affect AD Import Rules.

 

Here is a little bit of background on what was reported to us in case you want to be aware of this Microsoft change:

Please note LDAP changes apply both to User-ID and Administrator Authentication if LDAP is the auth method (versus say RADIUS or TACACS. Applicable in cases where LDAP is being used).

In March 2020, Microsoft is releasing a Windows Update which will disable the use of LDAP connections (cleartext over port 389) to/from Windows Server - only LDAPS (LDAP Secure) connections (over port 636) will be accepted by Windows Server after March 2020 update. 

So any customers using LDAP Server Profiles (if they don't have the SSL/TLS checkbox checked), LDAP Group Mappings, or anything else which the PAN Firewall communicates over LDAP/port 389 to Windows Active Directory Servers could begin to fail after March 2020 if the customer does Windows Update on their Windows AD Servers.

Overall, customers will need to configure the Firewall and the Windows Server to work when communicating over LDAPS (over port 636 with a certificate)

Technically, the Windows Update will have the below effect:
"Windows Server will reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection."

 

This does not necessarily mean they must use LDAPS over port 636, but it must be LDAP secured by a certificate (which the easiest/most common/normal way to accomplish is to configure the Windows Server to use LDAPS 636), and along with firewalls and all of their other networking devices which use LDAP in their environment, must be configured to do so as well.

 

 

Cause

Change introduced by Microsoft in order to disable the use of LDAP connections (cleartext over port 389) to/from Windows Server - only LDAPS (LDAP Secure) connections (over port 636) will be accepted by Windows Server after March 2020 update.

You can see the customer visible info/more details here:

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows  

March 2020 LDAP channel binding and LDAP signing requirement for Windows

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023#ID0EUGAC 

Step by Step Guide to Setup LDAPS on Windows Server:

https://docs.microsoft.com/en-us/archive/blogs/microsoftrservertigerteam/step-by-step-guide-to-setup-ldaps-on-windows-server  

Certificate requirements for using LDAPS on Windows Server:

https://support.microsoft.com/en-us/help/321051/how-to-enable-ldap-over-ssl-with-a-third-party-certification-authority  

 

Note:

This will affect customers using any of the below Windows Server versions in their environment:

Windows Server 2008 SP2
Windows Server 2008 R2 SP1
Windows Server 2012,
Windows Server 2012 R2,
Windows Server 2016,
Windows Server 2019

Environment

ITMS 8.1 RU7, 8.5 RU2, 8.5 RU3

Resolution

An enhancement has been added to our process to address this change. It will be available with the ITMS 8.5 RU4 release.

Now AD Import rules can communicate with Active Directory using "636" port instead of only "389" port.

  • ADNAME (without ports, so default 389 will be used)
  • ADNAME:389 (to force usage of default ldap port)
  • ADNAME:636 (to force usage of default ldaps port)



    Example:
    mydomain.com:636

This change is available as a pointfix under the following Cumulative Pointfix articles:

150932

CUMULATIVE POST 8.1 RU7 POINT FIXES 

151075

CUMULATIVE POST 8.5 RU2 POINT FIXES 

151228

CUMULATIVE POST 8.5 RU3 POINT FIXES