Microsoft announced an update that is going to disable unsigned LDAP by default. What does this mean for administrators? Long story short, but you can no longer use bindings to domain controllers over port 389. After the installation of the update you have to use either LDAPS over port 636 or using StartTLS on port 389. Both scenarios still require to add a certificate on the domain controllers.
Microsoft has articles, where you can find the necessary informations and how to add certificates to your DCs: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows you can also read more here –> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536
This update will apply for all versions.
- Windows Server 2008 SP2
- Windows 7 SP1
- Windows Server 2008 R2 SP1
- Windows Server 2012
- Windows 8.1
- Windows Server 2012 R2
- Windows 10 1507
- Windows Server 2016
- Windows 10 1607
- Windows 10 1703
- Windows 10 1709
- Windows 10 1803
- Windows 10 1809
- Windows Server 2019
- Windows 10 1903
- Windows 10 1909
Have a look on your Netscaler
Of course this will also affect 3.party solutions which rely on LDAP such as Citrix NetScaler/ADC or other Network appliances and authentication mechanisms also rely on LDAP. If you haven’t fixed this it will stop working. This update will apply for all versions.
Marco Klose works as a Technical Consultant, Architect and CTO focused on Application & Desktop virtualization as well as application delivery with the Citrix product portfolio. He is specialized in Citrix virtualization, Citrix networking and Microsoft products. He has +10 years experience and holds the latest Citrix certifications and is member of the Citrix Partner Expert Council EMEA (PTEC). Since 2021 he is also a Citrix Technology Advocate (CTA).