Microsoft announced an update that is going to disable unsigned LDAP by default. What does this mean for administrators? Long story short, but you can no longer use bindings to domain controllers over port 389. After the installation of the update you have to use either LDAPS over port 636 or using StartTLS on port 389. Both scenarios still require to add a certificate on the domain controllers.

Bildergebnis für 2020 LDAP channel binding and LDAP signing requirement for Windows

Microsoft has articles, where you can find the necessary informations and how to add certificates to your DCs: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows you can also read more here –> https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-ldap-signing-requirements-update-now/ba-p/921536

This update will apply for all versions.

  • Windows Server 2008 SP2
  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 10 1507
  • Windows Server 2016
  • Windows 10 1607
  • Windows 10 1703
  • Windows 10 1709
  • Windows 10 1803
  • Windows 10 1809
  • Windows Server 2019
  • Windows 10 1903
  • Windows 10 1909

Have a look on your Netscaler

Of course this will also affect 3.party solutions which rely on LDAP such as Citrix NetScaler/ADC or other Network appliances and authentication mechanisms also rely on LDAP. If you haven’t fixed this it will stop working. This update will apply for all versions.

Leave a Comment

Diese Website verwendet Akismet, um Spam zu reduzieren. Erfahre mehr darüber, wie deine Kommentardaten verarbeitet werden.