A new change from Microsoft and LDAP is coming up in March that could affect AD Import Rules.
Here is a little bit of background on what was reported to us in case you want to be aware of this Microsoft change:
Please note LDAP changes apply both to User-ID and Administrator Authentication if LDAP is the auth method (versus say RADIUS or TACACS. Applicable in cases where LDAP is being used).
In March 2020, Microsoft is releasing a Windows Update which will disable the use of LDAP connections (cleartext over port 389) to/from Windows Server - only LDAPS (LDAP Secure) connections (over port 636) will be accepted by Windows Server after March 2020 update.
So any customers using LDAP Server Profiles (if they don't have the SSL/TLS checkbox checked), LDAP Group Mappings, or anything else which the PAN Firewall communicates over LDAP/port 389 to Windows Active Directory Servers could begin to fail after March 2020 if the customer does Windows Update on their Windows AD Servers.
Overall, customers will need to configure the Firewall and the Windows Server to work when communicating over LDAPS (over port 636 with a certificate)
Technically, the Windows Update will have the below effect:
"Windows Server will reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection."
This does not necessarily mean they must use LDAPS over port 636, but it must be LDAP secured by a certificate (which the easiest/most common/normal way to accomplish is to configure the Windows Server to use LDAPS 636), and along with firewalls and all of their other networking devices which use LDAP in their environment, must be configured to do so as well.
You can see the customer visible info/more details here:
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
March 2020 LDAP channel binding and LDAP signing requirement for Windows
Step by Step Guide to Setup LDAPS on Windows Server:
Certificate requirements for using LDAPS on Windows Server:
This will affect customers using any of the below Windows Server versions in their environment:
Windows Server 2008 SP2
Windows Server 2008 R2 SP1
Windows Server 2012,
Windows Server 2012 R2,
Windows Server 2016,
Windows Server 2019
An enhancement has been added to our process to address this change. It will be available with the ITMS 8.5 RU4 release.
Now AD Import rules can communicate with Active Directory using "636" port instead of only "389" port.
CUMULATIVE POST 8.1 RU7 POINT FIXES
CUMULATIVE POST 8.5 RU2 POINT FIXES
CUMULATIVE POST 8.5 RU3 POINT FIXES