How to change ports on AD Import Rules in order to address changes by Microsoft on disabling the use of LDAP connections
Article ID: 186524
Updated On:
Products
Issue/Introduction
A new change from Microsoft and LDAP is coming up in March that could affect AD Import Rules.
Here is a little bit of background on what was reported to us in case you want to be aware of this Microsoft change:
Please note LDAP changes apply both to User-ID and Administrator Authentication if LDAP is the auth method (versus say RADIUS or TACACS. Applicable in cases where LDAP is being used).
In March 2020, Microsoft is releasing a Windows Update which will disable the use of LDAP connections (cleartext over port 389) to/from Windows Server - only LDAPS (LDAP Secure) connections (over port 636) will be accepted by Windows Server after March 2020 update.
So any customers using LDAP Server Profiles (if they don't have the SSL/TLS checkbox checked), LDAP Group Mappings, or anything else which the PAN Firewall communicates over LDAP/port 389 to Windows Active Directory Servers could begin to fail after March 2020 if the customer does Windows Update on their Windows AD Servers.
Overall, customers will need to configure the Firewall and the Windows Server to work when communicating over LDAPS (over port 636 with a certificate)
Technically, the Windows Update will have the below effect:
"Windows Server will reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection."
This does not necessarily mean they must use LDAPS over port 636, but it must be LDAP secured by a certificate (which the easiest/most common/normal way to accomplish is to configure the Windows Server to use LDAPS 636), and along with firewalls and all of their other networking devices which use LDAP in their environment, must be configured to do so as well.
Environment
ITMS 8.x
Cause
You can see the customer visible info/more details here:
ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
March 2020 LDAP channel binding and LDAP signing requirement for Windows
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023#ID0EUGAC
Step by Step Guide to Setup LDAPS on Windows Server:
Certificate requirements for using LDAPS on Windows Server:
Note:
This will affect customers using any of the below Windows Server versions in their environment:
Windows Server 2008 SP2
Windows Server 2008 R2 SP1
Windows Server 2012,
Windows Server 2012 R2,
Windows Server 2016,
Windows Server 2019
Resolution
An enhancement has been added to our process to address this change. It will be available with the ITMS 8.5 RU4 release.
Now AD Import rules can communicate with Active Directory using port 636 instead of only port 389.
- ADNAME (without ports, so default 389 will be used)
- ADNAME:389 (to force usage of default ldap port)
- ADNAME:636 (to force usage of default ldaps port)
Example:
mydomain.com:636
This change is available as a pointfix under the following Cumulative Pointfix articles:
|
CUMULATIVE POST 8.1 RU7 POINT FIXES |
|
|
CUMULATIVE POST 8.5 RU2 POINT FIXES |
|
|
CUMULATIVE POST 8.5 RU3 POINT FIXES |
Feedback
