Technology

Microsoft announces to delay forcing LDAPS connections

Last year Microsoft announced that an update would be published March of 2020 that would remove support for LDAP functionality. However, Microsoft has recently said they will postpone removal of LDAP support until Q3/Q4 of 2020. If you still have applications or services that are utilizing LDAP, you have a little bit more time to enable and configure LDAPS.  The main driver for revoking this support is to ensure that all authentication data is encrypted. Today via traditional LDAP account credentials are sent cleartext, which is a security risk.  

The first step to understanding the scope of the change is identifying anything in your environment using LDAP (e.g. VPN, Mobile Device Management Platforms, Secure Email Gateway platforms). An LDAP client is typically used by an application or service to perform user authentications against your domain. Your network team should also be able to check to see if there is any traffic to your domain controllers by monitoring what traffic is being passed on port 389, which is the default port for LDAP. 

You must also ensure that you have Certificate Authority (CA) in your environment. A CA is required since it issues an encryption certificate that is required to use LDAPS. The certificate is needed to encrypt the traffic between your domain controller and the LDAP client. On any domain joined machine you can simple run “certutil.exe” and it will list all of the CA’s in your environment. If none are listed, you will need to build and configure one.  

It is critical that you ensure that your LDAP client has been configured to trust the CA and where applicable change the connection settings to LDAPS or port 636. Be sure to thoroughly test and plan testing during appropriate downtime windows to avoid interruption to your business. 

For more information regarding this change and how implement this change in your environment, please refer to the following links: 

https://isc.sans.edu/forums/diary/Authmageddon+deferred+but+not+averted+Microsoft+LDAP+Changes+now+slated+for+Q3Q4+2020/25800/ 

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023 

https://blogs.msdn.microsoft.com/microsoftrservertigerteam/2017/04/10/step-by-step-guide-to-setup-ldaps-on-windows-server/