Important note about SSL VPN compatibility for 20.0 MR1 with EoL SFOS versions and UTM9 OS. Learn more in the release notes.

Thread Info
  • State Verified Answer
  • +1 person also asked this people also asked this
  • Locked Locked
  • Replies 1 reply
  • Subscribers 39 subscribers
  • Views 2157 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Recommended configuration for AD/LDAP authentication over SSL/TLS according to Microsoft requirements for Windows

Jaydeep

Hi Community,

On March 10th, 2020 Microsoft recommends moving to LDAP channel binding and LDAP signing to avoid replay attacks on the LDAP communication. After the hardening changes are done, Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) will be rejected by Active Directory domain controllers.

Please refer to our latest KBA to follow this in Sophos XG:

You can also check Microsoft Support's article here to learn more about this change.



This thread was automatically locked due to age.
Parents
  • +1

    PS: Microsoft moved this Patch to 2H 2020. 

    This is "just" a GPO Change. 

     

    Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

    Note that LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows.

    __________________________________________________________________________________________________________________

Reply
  • +1

    PS: Microsoft moved this Patch to 2H 2020. 

    This is "just" a GPO Change. 

     

    Important The March 10, 2020 and updates in the foreseeable future will not make changes to LDAP signing or LDAP channel binding policies or their registry equivalent on new or existing domain controllers.

    Note that LDAP signing Domain controller: LDAP server signing requirements policy already exists in all supported versions of Windows.

    __________________________________________________________________________________________________________________

Children
No Data
Unfiltered HTML