In August of 2019, Microsoft posted an advisory to its customers stating it intended to force the enabling of LDAP Channel Binding and Signing on Windows Servers that are in an Active Directory domain environment, to take effect in a March 10, 2020 security update.
So, what exactly is LDAP Channel Binding and Signing? We won’t get into the details here, as you can read all about it in the MS Advisory. Basically, LDAP binding is a set of operations to authenticate and authorize clients that use an LDAP server. By enforcing signing, you are rejecting Simple Authentication and Security Layer (SASL) binds or Simple binds performed in clear text (non-SSL/TLS) that do not request any signing.
Microsoft has since amended the requirement to be a recommended best security practice, with the notation that these settings will not be enforced by default in any foreseeable future updates. They are introducing three new CBT (Channel Binding Tokens) events to the Directory Services event log that will include IDs 3039, 3040, 3041, which are intended to assist the administrator in determining which clients should be investigated and hardened to enforce the signing. They are also adding a new Domain Controller GPO setting that sets the channel binding token policy. This is in addition to an existing DC policy that sets the LDAP server signing requirements.
If you utilize Directory Services, from Active Directory or any other Directory, in either a FlashArray™ or FlashBlade™ environment, our recommended best practice is to enable and configure LDAPS for that environment. On FlashBlade, you can also configure LDAP with StartTLS, which also works when requiring LDAP signing, as an alternative to LDAPS by configuring a CA certificate or CA certificate group. The following Pure KB article can get you started if you don’t have it configured or need to change it. This post will be updated if and when we receive any updated or new information on this topic.
References:
