LDAP Channel Binding and LDAP Signing Requirements (4266707)

LDAP Channel Binding and LDAP Signing Requirements

As part of their March 2020 update Microsoft will be enabling "LDAP Channel Binding and LDAP Server Integrity (signing)" by default.

Ref: https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536

How does this affect Authentication Services?

Authentication Services already runs with privacy and protection enabled by default.

From vas.conf man page:

+++++++++++++++++++++++++++

ldap-gsssasl-security-layers = <security level>

Default value: 0

By default, when communicating with Active Directory, the QAS API automatically encrypts LDAP traffic for data integrity and privacy. This option allows the SASL security layer to be set to a specific level. With the default value of 0, all traffic will be secured using the highest security that is supported by the LDAP server. If non-zero, the value interpreted as a bit mask as described by RFC 4752: 1 = No security layer, 2 = Integrity protection, 4 = Privacy protection. The following example shows how to turn off security. This may be useful for debugging purposes, or to reduce load when there is no need for network integrity or privacy.

[libvas]

ldap-gsssasl-security-layers = 1

+++++++++++++++++++++++++++

This can be tested as follows.

1. Join the Unix host to a specific DC in the domain.

# /opt/quest/bin/vastool -u <admin account> join -f <domain> <domain controller>

1. Update vas.conf as to disable “ldap-gsssasl-security-layers”

# /opt/quest/bin/vastool configure vas libvas ldap-gsssasl-security-layers 1

1. Run

# /opt/quest/bin/vastool status

The output should be normal.

1. Update the Domain Controller registry with the following settings. These updates are dynamic and there is no need to reboot. Please take note of the original registry values so you can revert to them if required.
   • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LDAPServerIntegrity = 2
   • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters\LdapEnforceChannelBinding = 2
2. Run

# /opt/quest/bin/vastool status

The following error will be reported.

“KRB5KDC_ERR_BADOPTION (-1765328371): KDC can't fulfill requested option”

1. Update vas.conf as to enable “ldap-gsssasl-security-layers” to the default setting (strictest)

# /opt/quest/bin/vastool configure vas libvas ldap-gsssasl-security-layers

1. Run the following command and the error should clear.

# /opt/quest/bin/vastool status

1. Revert to the original vastool join and registry settings if required.

Windows Registry Disclaimer: One Identity does not provide support for problems that arise from improper modification of the registry. The Windows registry contains information critical to your computer and applications. Make sure you back up the registry before modifying it. For more information on the Windows Registry Editor and how to back up and restore it, refer to Microsoft Article ID 256986 "Description of the Microsoft Windows registry" at Microsoft Support.