On 10 March 2020, Microsoft recommended to move to LDAP channel binding and LDAP signing to avoid replay attacks on the LDAP communication.
After the hardening changes are done, Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) will be rejected by Active Directory domain controllers.
This knowledge base article describes how the Sophos Web Appliance communicates with Active Directory / LDAP.
The following sections are covered:
Applies to the following Sophos products and versions Sophos Web Appliance
There is no change necessary within the configuration of Sophos Web Appliance. This is due to the way that Sophos Web Appliance communicates with Active Directory, wherein it performs a SASL LDAP bind that requests signing.
The SASL bind is an inherently secure way of authenticating that doesn't need to happen over an encrypted channel.
Sign up to the Sophos Support SMS Notification Service to get the latest product release information and critical issues.
Every comment submitted here is read (by a human) but we do not reply to specific technical questions. For technical support post a question to the community. Or click here for new feature/product improvements. Alternatively for paid/licensed products open a support ticket.