On March 2020 Microsoft plans to release a security update on Windows Update that by default enables LDAP channel binding and LDAP signing hardening changes for Active Directory. Details and technical background of these changes are described in the Microsoft articles linked in the related information section of this article.
When the security settings are enabled and the pre-conditions are not met, the following things may not work anymore:
Within the server.log of a Sophos Mobile server, an error message similar to the one below can be found:
2020-01-21 11:05:55,498 WARN [com.sophos.mobilecontrol.server.adminui.customer.CustomerModelManager] (default task-38) could not connect to ldap server with entered data "Display name: L***************************r, Ldap type: ActiveDirectory": [LDAP: error code 8 - 00002028: LdapErr: DSID-0C090257, comment: The server requires binds to turn on integrity checking if SSL\TLS are not already active on the connection, data 0, v2580 ]
To prevent any issues it is recommended to switch from LDAP to LDAPS for the directory connection.
Note: This only affects Sophos Mobile on-premise installations. Sophos Central Mobile is not affected by this issue as Sophos Central only supports connections via LDAPS.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Mobile
To make sure LDAP login continues to work it is recommended to use LDAPS for the connection to the Acitve Directory Server if not already used. Details how to achieve this for a Microsoft Active Directory can be found in the linked article below.
To switch the connection within Sophos Mobile to LDAPS perform the following steps:
These steps have to be repeated for every Sophos Mobile customer using an LDAP connection.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.