Windows 10: 2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows authentication

Discus and support 2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows authentication in AntiVirus, Firewalls and System Security to solve the problem; I have a question related to the security update 2020 LDAP channel binding and LDAP signing requirement for Windows described in... Discussion in 'AntiVirus, Firewalls and System Security' started by Narinder Mittal, Feb 24, 2020.

  1. 2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows authentication


    I have a question related to the security update 2020 LDAP channel binding and LDAP signing requirement for Windows described

    in https://support.microsoft.com/en-us...ding-and-ldap-signing-requirement-for-windows.


    We are using IIS Integrated Windows Authentication for our ASP.Net application. And we are using .NET namespace System.DirectoryServices to handle AD connections, but we never pass any AD connection strings from our application, we use the current user context. we anticipate there should not be any impact on our application with this upcoming change.

    Would like to confirm if there is any impact?


    Would be happy to provide more information if needed.

    :)
     
    Narinder Mittal, Feb 24, 2020
    #1

  2. Security update - 2020 LDAP channel binding and LDAP signing requirement for Windows

    I have a question related to the security update (2020 LDAP channel binding and LDAP signing requirement for Windows) described

    in https://support.microsoft.com/en-us...ding-and-ldap-signing-requirement-for-windows

    Is there a way to configure the domain controller, so that even if secure binding becomes enabled by default, application servers (sending the windows credentials to domain controller) can override that in some way to support simple binding?
     
    AntoniosIM, Feb 24, 2020
    #2
  3. Security update - 2020 LDAP channel binding and LDAP signing requirement for Windows

    Hi AntoniosIM,

    This will not be supported, please read the article below:

    https://techcommunity.microsoft.com/t5/core-inf...

    If LDAP Channel Binding is enabled, Simple Binding will not be allowed.

    I hope this answers your question.
     
    c12f15dc-7bff-4426-b6c1-6cd384eeb051, Feb 24, 2020
    #3
  4. 2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows authentication

    Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

    I've been reviewing ADV190023 (which seems to indicate that insecure LDAP binds will no longer be permitted in Active Directory after January 2020). I made the changes to the Windows Registry on my Domain Controllers to get detailed logging information about
    applications/computers performing either simple LDAP binds or unsigned SASL binds.

    I found that the vast majority of the Event log entries were for OSX computers which were bound to AD and performing unsigned SASL binds. These generated Event ID 2889 in the Directory Service log. By my reading of the Security Advisory, unsigned SASL binds
    will no longer be permitted after January 2020 so I worked on making the MAC OSX machines use SSL when communicating to AD.

    I made the suggested registry changes on a Test Domain Controller - those changes supposedly will not allow simple LDAP binds or unsigned SASL binds. I tried the test which was specified with LDS and a simple bind and that failed with a "requires a higher
    level of security" message, which is what was expected.

    However, even after configuring a MAC OSX computer to use SSL (I verified that it is using port 636 Tcp to "talk" to the DC) I am getting Event ID 2889 in the Directory Service log indicating that the MAC is still using an unsigned SASL bind. The bind/login
    process works (I am able to successfully authenticate as an AD user on the MAC over SSL) but the continued error in the Event log bothers me.

    key points:

    1. If I make the "don't allow insecure LDAP binds" changes on the DC and don't make any changes on the MAC, I am still able to bind/authenticate to AD from the MAC. The Security Advisory seems to indicate that this should fail, but my tests don't agree. Event
    ID 2889 is generated in the Directory Service Event Log.

    2. If I force the MAC to use SSL to talk to AD (after making the "don't allow insecure LDAP binds" change on the DC) I am able to bind/authenticate to AD from the MAC and I still get the 2889 entry in the DS Event Log. There doesn't seem to be any change
    in behavior from the Windows side.

    Am I mis-reading the Security Advisory? Or is there some other change (other than the three registry changes outlined in the Security Advisory) that need to happen on the DC? I would like this to be a non-issue when Microsoft pushes this change out in January.
     
    FrancisSwipes, Feb 24, 2020
    #4
Thema:

2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows authentication

Loading...
  1. 2020 LDAP channel binding and LDAP signing Impact on IIS Integrated windows authentication - Similar Threads - 2020 LDAP channel

  2. Secure Active Directory LDAP binding

    in Windows 10 Gaming
    Secure Active Directory LDAP binding: We have On-prem Active Directory, users and applications are authenticated to access network resources.Please advise if there is a way to secure or delegate AD LDAP bind only to specific admins or service accounts. Currently anyone with valid credentials can "bind" Active...
  3. Secure Active Directory LDAP binding

    in Windows 10 Software and Apps
    Secure Active Directory LDAP binding: We have On-prem Active Directory, users and applications are authenticated to access network resources.Please advise if there is a way to secure or delegate AD LDAP bind only to specific admins or service accounts. Currently anyone with valid credentials can "bind" Active...
  4. ldaps doesn't work

    in Windows 10 Gaming
    ldaps doesn't work: Hi all, after restoring the C:\ProgramData\Microsoft\Crypto directory, all services work fine except LDAPS. The ldp.exe test works fine from the DCs servers but not from a non domain server. Also tried with ldapsearch via linux without success. LDAP is ok. Any advice? Thanks...
  5. ldaps doesn't work

    in Windows 10 Software and Apps
    ldaps doesn't work: Hi all, after restoring the C:\ProgramData\Microsoft\Crypto directory, all services work fine except LDAPS. The ldp.exe test works fine from the DCs servers but not from a non domain server. Also tried with ldapsearch via linux without success. LDAP is ok. Any advice? Thanks...
  6. LDAP issue with powershell

    in Windows 10 Customization
    LDAP issue with powershell: Hello, I have created one PowerShell script to get the Active directory data. In which I used Active Directory Domain Services to get the data. I am using the JSON file to provide the Input. The command is as below "$allGroups = Find-LdapObject -SearchFilter...
  7. Changes to LDAP-2020

    in Windows 10 Customization
    Changes to LDAP-2020: Hi, With the changes to LDAP announced in the link below, Will this update completely stop plain LDAP from functioning? https://support.microsoft.com/en-au/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows...
  8. Security update - 2020 LDAP channel binding and LDAP signing requirement for Windows

    in AntiVirus, Firewalls and System Security
    Security update - 2020 LDAP channel binding and LDAP signing requirement for Windows: I have a question related to the security update 2020 LDAP channel binding and LDAP signing requirement for Windows described in https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows Is there a way to configure...
  9. Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...

    in AntiVirus, Firewalls and System Security
    Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...: I've been reviewing ADV190023 (which seems to indicate that insecure LDAP binds will no longer be permitted in Active Directory after January 2020). I made the changes to the Windows Registry on my Domain Controllers to get detailed logging information about...
  10. LDAP Client

    in Windows 10 Network and Sharing
    LDAP Client: Hi everybody, whats options I have for connect and login authentification of multilples Windows 10 HOME Edition at my LDAP Server Linux ? Any different options to PGINA software? Best regards...