Enable LDAP Server SSL
Why change?
Microsoft released a patch in mid-2020 that enforces LDAP Channel Binding and LDAP Signing.
/portal.msrc.microsoft.com//ADV190023
Any software that makes AD queries is affected.
support.microsoft.com/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows
SASL-LDAP binds that do not require a signature and Simple LDAP binds over unencrypted connections are prevented.
Elevated log levels and event IDs can be used to detect non-signed LDAP connections.
The increased log can be enabled in the registry on the domain controller. To do this, set "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics\16 LDAP Interface Events" from 0 to 2 on the domain controller. (After the modification, this setting must be changed back to 0).
With a filter in the Windows Eventlog on the IDs: 2886, 2887, 2888, 2889 (alternatively 2886-2889) the hosts can be determined, which establish SASL-LDAP Binds, which do not require a signature, and Simple LDAP Binds over unencrypted connections. To do this, customize the LDAP server in Aeneis.
Instruction:
-
Open the ServerAdministration
-
Under Authentication | LDAP, open the properties of the LDAP server
-
Enable the Use SSL property
-
Enter the SSL port
-
Test the connection
-
Confirm the Import self-signed certificate dialog with Yes
-
Save the properties
Result:
The Aeneis server uses an encrypted LDAP connection. This is possible through the generated aeneis-client-keystore.jks file in the application data directory. In order to continue logging in via LDAP on the FatClient, this file (aeneis-client-keystore.jks) must also be present on the client installations.
-
(For server operation with HTTP) Copy the file to the application data directories of the clients.
-
(For server operation with HTTPS) Remove the secure connection in the clients in the server connection and set it again. Then accept the certificates.