Configuration changes required when connecting to Microsoft LDAP servers with the March 2020 security enhancements


This article applies to:

  • Trustwave SEG
  • Trustwave SPE Connector Agent

Question:

  • What is the required configuration to connect to a Microsoft LDAP server that has the March 10, 2020 security enhancement enabled?

Background:

As of March 10,2020, Microsoft provided the option to require Secure LDAP (LDAPS) for connections to LDAP servers.

Further information is available in the following Microsoft article: 2020 LDAP channel binding and LDAP signing requirement for Windows

  • This was not an enforced change (as had been previously suggested)

Symptoms:

When connecting to an updated Microsoft LDAP server (on default port 389):

  • Tests of unauthenticated LDAP connections will return "server down". 
  • Tests of authenticated connections will return "Could not authenticate LDAP connection. Strong Authentication Required"

Attempts to update group membership through the connector will fail.

Procedure:

To continue using LDAP connectors to Microsoft LDAP servers that have had the strong policy applied:

  1. Ensure that the LDAP server has a valid certificate in place. The certificate common name must match the FQDN or resolvable network name of the LDAPS server (for example LDAPSERVER.doc103.example.test)
    • You can use the Microsoft LDP utility to check SSL support.
  2. If the certificate is self-signed, import it to the Windows Certificate Store (Trusted People folder) on the SEG Array Manager or the workstation where Connector Agent is installed. 
  3. If the certificate is signed by a CA, ensure that the CA root certificate and any intermediate certificates are properly installed to the Windows Certificate Store on the Array Manager or Connector Agent workstation.
  4. Use the Configurator or Connector Agent interface to create or edit a connector.
    • For the Server Name, specify the exact name given in the certificate (for example LDAPSERVER.doc103.example.test).
    • Specify Connect using SSL and set the port as required (default: port 636)
    • Provide logon details.

Notes:

  • The March 2020 changes do not enforce policy by default. This is a change from the pre-announcement made by Microsoft.
  •  The March 2020 changes do not affect native AD connections. If you have installed the SEG Array Manager or the Connector Agent on a domain-joined server, the Microsoft Active Directory connector can be used with no additional configuration. Depending on the access permissions in AD, you may need to provide a user account to retrieve information. 

Last Modified 5/1/2020.
https://support.trustwave.com/kb/KnowledgebaseArticle21129.aspx