Upgrade from LDAP to LDAPs

Question

Hi Guys, just saw this article: https://www.aeb.com/support/en/news/ldap-change.php

Do we have to upgrade from LDAP to LDAPs now? What impact will it have?

Thanks
ML

Answer 1

Hello,

Thank you so much for posting here.

Microsoft recommends administrators make the hardening changes described in ADV190023.

For more information, we could refer to:

2020 LDAP channel binding and LDAP signing requirements for Windows
https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows

LDAP Channel Binding and LDAP Signing Requirements - March 2020 update final release
https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-march-2020/ba-p/921536

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Frequently asked questions about changes to Lightweight Directory Access Protocol
https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap

Hope the information is helpful. Thanks.

Best regards,
Hannah Xiong

Answer 2

Hello,

You are welcome. Thank you so much for your kindly reply.

1, "So Windows update will not make any changes on both Channel Binding and LDAP Signing unless we make changes on Reg keys and install Windows Updates, am I right?"

Yes.

2, "Also, once we have these two options (Channel Binding and LDAP Signing) enabled, LDAP will not be available, have to make sure all clients machines and appliances support LDAPs, am I correct?"

Yes, "After installing the patch, it will no longer be possible to communicate with the Active Directory via Simple Bind Port TCP 389 to prevent passwords from being transmitted in clear text. Communication will then only take place encrypted via Port TCP 636 SSL."

"The update results in no more connections to the domain controller, via unsigned / Clear Text LDAP on port 389. Then it is only possible to use either LDAPS via port 636 or Signed LDAP (StartTLS) on port 389."

3, "The last question is: do we need SSL (A wildcard certificate) for LDAP signing?"

As per the below article, new certificates do not have to be issued to use CBT over SSL/TLS.

https://support.microsoft.com/en-us/help/4546509/frequently-asked-questions-about-changes-to-ldap

For any question, please feel free to contact us.

Best regards,
Hannah Xiong

Answer 3

Hi,

You are welcome. Thank you so much for your feedback.

To verify LDAPS on a domain controller has been configured and is functioning correctly, perform the following steps on each Domain Controller:

Open the Run dialogue box and run the application: ldp.exe or ldp for short
When LDP opens, go to the Connection menu and click on Connect..
Fill in the ‘Connect’ dialogue box as shown below.

If the server is correctly configured for LDAPS then line 5 of the output (you might need to scroll up) will show that the host supports SSL, like this:

For more information, we could refer to:

https://support.microsoft.com/en-us/help/938703/how-to-troubleshoot-ldap-over-ssl-connection-problems

https://osirium.com/how-to/confirm-a-domain-controller-has-ldaps-enabled/

So sorry that I do not know whether there is registry keys saying enabled. Besides, I tried to research about this but did not find any information. Thank you so much for your understanding and support.

Please note: Information posted in the given link is hosted by a third party. Microsoft does not guarantee the accuracy and effectiveness of information.

Best regards,
Hannah Xiong