-
Title
Does SPS support the 2020 LDAP channel binding and LDAP signing requirement for Windows? -
Description
Microsoft will be pushing a security update scheduled March 2020 to enforce LDAP channel binding and LDAP signing on Active Directory servers by default.
Does this impact AD authentications via SPS in any way?
-
Cause
In an upcoming release in March 2020, Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations. -
Resolution
RESOLUTION:
In regards to LDAP authentications in SPS, there are two locations that need to be verified:
AD authentications will work successfully with the mentioned LDAP changes if SPS uses either TLS or STARTTLS
Please make sure that the Encryption is NOT set to disabled.
1. For Web UI LDAP authentications:
- Select AAA > Settings > Authentication Settings
- User Database > LDAP > Encryption > this must be set to either TLS (with port 636) or STARTTLS (with port 389)
2. For Connection Policies using AD authentications:
- Select Policies > LDAP Servers > Encryption > this must be set to either TLS (with port 636) or STARTTLS (with port 389)