Windows 10: Security Advisory ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP...

I've been reviewing ADV190023 (which seems to indicate that insecure LDAP binds will no longer be permitted in Active Directory after January 2020). I made the changes to the Windows Registry on my Domain Controllers to get detailed logging information about applications/computers performing either simple LDAP binds or unsigned SASL binds.


I found that the vast majority of the Event log entries were for OSX computers which were bound to AD and performing unsigned SASL binds. These generated Event ID 2889 in the Directory Service log. By my reading of the Security Advisory, unsigned SASL binds will no longer be permitted after January 2020 so I worked on making the MAC OSX machines use SSL when communicating to AD.


I made the suggested registry changes on a Test Domain Controller - those changes supposedly will not allow simple LDAP binds or unsigned SASL binds. I tried the test which was specified with LDS and a simple bind and that failed with a "requires a higher level of security" message, which is what was expected.


However, even after configuring a MAC OSX computer to use SSL (I verified that it is using port 636 Tcp to "talk" to the DC) I am getting Event ID 2889 in the Directory Service log indicating that the MAC is still using an unsigned SASL bind. The bind/login process works (I am able to successfully authenticate as an AD user on the MAC over SSL) but the continued error in the Event log bothers me.


key points:
1. If I make the "don't allow insecure LDAP binds" changes on the DC and don't make any changes on the MAC, I am still able to bind/authenticate to AD from the MAC. The Security Advisory seems to indicate that this should fail, but my tests don't agree. Event ID 2889 is generated in the Directory Service Event Log.

2. If I force the MAC to use SSL to talk to AD (after making the "don't allow insecure LDAP binds" change on the DC) I am able to bind/authenticate to AD from the MAC and I still get the 2889 entry in the DS Event Log. There doesn't seem to be any change in behavior from the Windows side.


Am I mis-reading the Security Advisory? Or is there some other change (other than the three registry changes outlined in the Security Advisory) that need to happen on the DC? I would like this to be a non-issue when Microsoft pushes this change out in January.

:)

 

LDAP issue

Trying to sign on to a webmail, and I keep getting an LDAP error. Any suggestions?

***Post moved by the moderator to the appropriate forum category.***

 

ldap bind issues

I have several Windows Servers that utilize ldap. Some of them show on the domain controllers as event id 2889, but others do not. These servers are not on the domain. My question is why are some of the servers not showing that event id?

 

LDAP Directory Program

Bump! Anyone with an available LDAP directory can test this. If an LDAP directory is read only access to everyone (most are by default), you will be able to access it without the Username or Password field, possibly even beyond the DMZ in some instances.