20 Jan 2020

Hi Community,

In March 2020 Microsoft plans to release a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory.
Details and technical background of these changes are described in the Microsoft articles linked in the related information section of this KBA.

When the security settings are enabled and the pre-conditions are not met, especially if SafeGuard Server and computers running the SafeGuard Management Center are not updated with the required Microsoft Security Updates (see CVE-2017-8563), the SSL directory authentication does not work any longer.

For SafeGuard this means that,

the Active Directory synchronization may fail with the error "The user name or password is incorrect.".
Creating a new Directory connection, using SSL, may fail with the error message "The connection to the requested directory failed. Additional info: The user name or password is incorrect.".
Setting up the LDAP Authentication in the Management Center Wizard may fail with the error message "The connection to the requested directory failed. Additional info: The user name or password is incorrect.".

Example error messages:

What to do

Ensure that all involved computers are patched with the relevant Microsoft security update for CVE-2017-8563.

Alternatively you can:

Disable SSL for the AD connection in the SafeGuard Management Center (not recommended).
Disable this security setting to switch back to the previous behavior (not recommended).
To explicitly disable the setting, set the LdapEnforceChannelBinding entry to 0 (zero). Details are described in the Microsoft articles, linked in the related information section of this KBA.

Related information

Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.

Note: Information above taken from KBA 135029

Impact of LDAP Channel Binding and LDAP Signing Requirements on SafeGuard Enterprise

What to do

Related information