Invoke Microsoft Security Advisory for LDAP Channel Binding and Signing

02/23/2023

LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers.

What’s happening?

  • On Wednesday 3/15/23, Information Assurance Identity and Access Management (IAM) is making a change to configure Active Directory domain controller servers to reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification), or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.
  • This change is necessary to meet Information Assurance cyber security standards and requirements: unsigned network traffic is susceptible to replay and Man-in-the-Middle attacks.
  • [Note: this change affects only LDAP authentication to Active Directory (UMHS.MED.UMICH.EDU); LDAP.ENT.MED.UMICH.EDU is out of scope]

Action Required:

  • Resources (applications, system accounts, etc.) that are built on .NET Framework, Active Directory Service Interfaces (ADSI), or make LDAP calls into WLDAP32 will automatically handle LDAP signing and channel binding.   No action is likely required for these types of resources, but please check your documentation or vendor to be sure. 
  • Resources (applications, system accounts, devices, etc.) that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection could fail to authenticate.  Please check your documentation or vendor for non- windows device O/S, service, and applications.

Best course of action:

  • This change has already been implemented in the following Michigan Medicine LDAP environment (P-UMHS.MED.UMICH.EDU:636). Please test your LDAP connectivity to these services to confirm if your application can authenticate prior to the production LDAP change on 3/15/23.

Questions/ Concerns

  • Please submit an Incident through Michigan Medicine ServiceNow using the information below to set up a support call with the IAM team before March 10, 2023

-  Category: Service Request

-  Subcategory: Move/Change/Add

-  Service: Authentication

-  Service offering: LDAP Service

-  Assignment group: Identity and Access Management

-  Short Description: CHG0152788 LDAP channel binding and signing for (your application/account/device name)