ICYMI: Active Directory will require LDAP over SSL in 2020

samuellarsson
New Contributor III

UPDATE 2020-02-04: Microsoft has postponed the update again from March 2020 to the second half of 2020.

UPDATE 2020-01-24: Microsoft has postponed the update from January 2020 to March 2020.

For y'all who are binding your devices to Active Directory, you are going to have to make sure that the LDAP connections are encrypted from mid-January 2020. Microsoft will release security updates across the board that requires all connections to be encrypted.

There are essentially only two things that need to be looked at: the Jamf Pro server LDAP bind options and, if you bind any of your clients, the client directory bind configuration.

For the Jamf Pro LDAP binding options, there is a great guide to follow here. The client directory bind configuration, however, can be applied in different ways, but the most usual ways are by configuration profile or binding via CLI. At the moment, the payload called Directory in the configuration profiles has an option under Packet encryption called "ssl" and another option under Packet signing called "require", which as far as I know both need to be set. To join a client with the built-in CLI called dsconfigad, there is the following command:

dsconfigad -add <domain> -username <user> -computer $(hostname) -password <password> -ou "<ou>" -packetencrypt ssl -force

As usual, it's a good idea to look over this now when there is still time. Nothing will happen until you actually run the Windows update to your domain controller(s), but you will need to update all the same.

Link to Microsoft article

1 ACCEPTED SOLUTION

spalmer
Contributor III

@brianmcbride99 The article you linked to refers to Netlogon Domain Controller Enforcement Mode and references CVE-2020-1472. Are you sure that is the same issue?

This discussion thread was originally referring to CVE-2017-8563 with regards to Microsoft requiring LDAP Channel Binding and LDAP Signing.

A blog post from Microsoft states that it has backed off on forcing LDAP Channel Binding and LDAP Signing and is only now highly recommending it, leaving the decision up to the customer:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-lda...

ATTENTION: before you continue reading I must emphasize that the MARCH 2020 update and FUTURE UPDATES WILL NOT MAKE ANY CHANGE. This means that we leave it to Customer to decide when to enforce these settings, now and in the future. https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem... Our recommendation is to enforce both of them and not leave your environment at risk

If this is indeed a totally different issue it might be best to start a new discussion.

View solution in original post

44 REPLIES 44

Cyrano5
New Contributor II

Does anyone have an update to this? The reports that I have seen in this thread mirror the experiences that I have had as well. When I apply the dsconfigad -packetsign require and dsconfigad -packetencrypt ssl commands on my test machines, AD becomes unresponsive. I cannot unlock my machine or any of the preference panes when trying to authenticate with AD credentials.

mschroder
Valued Contributor

To cite @Cyrano5 : Any news on this?

bmack99
Contributor III

It appears this is coming on 2.9.21, see here

I'm scouring splunk and our DCs for event ID 5829 which should be triggered by any vulnerable device attempting to connect over non secure channel Netlogon see here I'm not finding any of these eventIDs - does anyone know how I can confirm for certain on a macOS device whether it is configured for secure channel Netlogon?

spalmer
Contributor III

@brianmcbride99 The article you linked to refers to Netlogon Domain Controller Enforcement Mode and references CVE-2020-1472. Are you sure that is the same issue?

This discussion thread was originally referring to CVE-2017-8563 with regards to Microsoft requiring LDAP Channel Binding and LDAP Signing.

A blog post from Microsoft states that it has backed off on forcing LDAP Channel Binding and LDAP Signing and is only now highly recommending it, leaving the decision up to the customer:

https://techcommunity.microsoft.com/t5/core-infrastructure-and-security/ldap-channel-binding-and-lda...

ATTENTION: before you continue reading I must emphasize that the MARCH 2020 update and FUTURE UPDATES WILL NOT MAKE ANY CHANGE. This means that we leave it to Customer to decide when to enforce these settings, now and in the future. https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem... Our recommendation is to enforce both of them and not leave your environment at risk

If this is indeed a totally different issue it might be best to start a new discussion.

bmack99
Contributor III

@spalmer My apologies, you are indeed correct. I have the two mixed up. Sorry for the false alarm, and thank you for the clarification.