Reminder: LDAP signing requirements in March 2020

In August 2018, Microsoft issued a security advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing about unsigned LDAP communication blocking in Active Directory starting with March 2020. A quick poll identified that not all customers are aware about upcoming changes or have prepared to them.

What is LDAP Binding?

LDAP binding is a set of operations used to authenticate and authorize clients on LDAP server (domain controller). Along with authentication credentials, clients send LDAP connection configuration or settings (such as signing requirement) to use in subsequent messages within same connection. There are two LDAP bind types: simple bind and Simple Authentication and Security Layer (SASL). In simple bind, client authenticates on LDAP server by submitting account name and password in clear text form. SASL allows different authentication options that do not require password transmission in clear text. Such options include the use of NTLM and Kerberos. Microsoft products use only SASL bind type. Despite the fact that SASL is more secure, it doesn’t guarantee message integrity unless LDAP over TLS is used.

Description

In short, in March 2020, Microsoft is going to release a security update that will reject all incoming connections on domain controllers using unsigned LDAP. Using default OS configuration, Microsoft clients and servers do not require message signing when authenticating and communicating over LDAP. This means that if you don’t prepare your network to require LDAP signing will fail to communicate to domain controllers. On the other hand, domain controllers will stop receiving unsigned messages. Consequences will result in a massive domain outage.

Although, security update released in March 2020 will put both, domain controllers and domain members into consistent state (require signing), you will still experience connection issues because systems don’t install update at same time. For example, if domain controllers receive update before clients, they will stop receive connections from unpatched clients. Therefore, it is highly recommended to gracefully configure clients and domain controllers to use LDAP signing in advance. See Reference Materials section below for more details.

Mitigation for Microsoft Windows

In order to mitigate the vulnerability and possible outage caused by the update, configure LDAP signing requirements on domain controllers and Active Directory clients prior to installing the update. We recommend to perform systems configuration in this sequence:

1. Configure clients to request LDAP signing;
2. When all clients receive this configuration, configure domain controllers to require signing;
3. Configure clients to require signing.

This sequence ensures that no client will stop working during transition.

Configure Clients to request signing

Use steps below to configure clients to request LDAP signing:

1. On domain member with GPMC (Group Policy Management Console) installed, open GPMC console (gpmc.msc);
2. Expand Forest\Domains\Current Domain\Group Policy Objects;
3. Create new GPO item and provide GPO name (say, Client LDAP Signing);
4. Edit created GPO;
5. Expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options;
6. Open Network security: LDAP client signing requirements item and select Negotiate Signing option;
7. Link GPO to domain level.
8. Repeat steps 1-7 for every domain in the forest.

Wait until all clients receive and apply new GPO.

Configure Domain Controllers to require signing

When new GPO is applied, create new GPO to configure domain controllers:

1. On domain member with GPMC (Group Policy Management Console) installed,
   open GPMC console (gpmc.msc);
2. Expand Forest\Domains\Current Domain\Group Policy Objects;
3. Create new GPO item and provide GPO name (say, Server LDAP Signing);
4. Edit created GPO;
5. Expand Computer Configuration\Policies\Windows Settings\Security
   Settings\Local Policies\Security Options;
6. Open Domain controller: LDAP server signing requirements item and
   select Require Signing option;
7. Link GPO to “Domain Controllers” container.
8. Repeat steps 1-7 for every domain in the forest.

Wait until all domain controllers receive and apply new GPO. Test if all systems are able to communicate with domain controllers. In the event of failure, revert signing requirements to “None” and consult with vendor support to identify and resolve the problem.

Configure Clients to require signing

Use steps below to configure clients to require LDAP signing:

1. On domain member with GPMC (Group Policy Management Console) installed, open GPMC console (gpmc.msc);
2. Expand Forest\Domains\Current Domain\Group Policy Objects;
3. Edit previously created GPO (Client LDAP Signing);
4. Expand Computer Configuration\Policies\Windows Settings\Security Settings\Local Policies\Security Options;
5. Open Network security: LDAP client signing requirements item and select Require Signing option;
6. Repeat steps 1-5 for every domain in the forest.

Wait until all clients receive and apply new GPO. Then all domain members are ready to install new update referenced in security advisory.

Mitigation for other platforms

If your network contains non-Microsoft systems (*nix systems, firewalls/gateways, etc.) that communicate with AD domain controllers, it is highly recommended to contact manufacturer of that particular system for support.

Note: Advisory update doesn’t affect clients that use simple bind to authenticate on domain controllers. However, the use of simple bind is strongly discouraged unless LDAP over TLS is used, because simple bind exposes client password in clear text.

Reference Materials

• ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
• 2020 LDAP channel binding and LDAP signing requirement for Windows
• Domain controller: LDAP server signing requirements
• Network security: LDAP client signing requirements
• Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
• How to enable LDAP signing in Windows Server 2008
• The LDAP Bind Operation