MS to enforce AD DS LDAP Signing - JAN 2020

Discussion in 'Business & Enterprise Computing' started by NSanity, Sep 12, 2019.

  1. NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,680
    Location:
    Canberra
    https://support.microsoft.com/en-us...ding-and-ldap-signing-requirement-for-windows

    So this is a reasonably big deal for SMB's - because most of them don't know how to spell PKI, let alone implement and manage it. But the long and short of it is, if you connect to AD to peform lookups, you will need to do it over SSL/TLS come Patch Tuesday Jan 2020.

    This will likely have impacts on people's MFD's, Firewalls that provide VPN, etc, etc.

    Its a good change, and makes millsy happy in the pants, but a whole bunch of SMB is going to get confused here.
     
    qwertylesh, Dilbery, Hive and 5 others like this.
  2. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,072
    Location:
    MornPen, VIC
    Pfft, we've all done that.

    I'm a bit out of the loop when it comes to certificate stuff, does this change mean that each org (/AD owner) will need to purchase/generate a root certificate and use that to "sign" their LDAP connections?
     
  3. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,408
    Location:
    brisbane
    2020, that's ages away.
     
  4. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,717
    my friend doesn't really have much experience with certificate stuff.
    Can someone explain it to him?
     
    chook likes this.
  5. BAK

    BAK Member

    Joined:
    Jan 7, 2005
    Messages:
    1,072
    Location:
    MornPen, VIC
    Hi Friend
     
    NSanity likes this.
  6. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,408
    Location:
    brisbane
    ??

    upload_2019-9-12_12-51-50.png
     
    Hive, 2SHY and BAK like this.
  7. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,183
    Location:
    Brisbane
    How to discover clients that do not use the "Require signing" option
    Clients that rely on unsigned SASL (Negotiate, Kerberos, NTLM, or Digest) LDAP binds or on LDAP simple binds over a non-SSL/TLS connection stop working after you make this configuration change. To help identify these clients, the directory server logs a summary event 2887 one time every 24 hours to indicate how many such binds occurred. We recommend that you configure these clients not to use such binds. After no such events are observed for an extended period, we recommend that you configure the server to reject such binds.

    If you must have more information to identify such clients, you can configure the directory server to provide more detailed logs. This additional logging will log an event 2889 when a client tries to make an unsigned LDAP bind. The logging displays the IP address of the client and the identity that the client tried to use to authenticate. You can enable this additional logging by setting the LDAP Interface Events diagnostic setting to 2 (Basic). For more information about how to change the diagnostic settings, go to the following Microsoft website:
    http://go.microsoft.com/?linkid=9645087
    If the directory server is configured to reject unsigned SASL LDAP binds or LDAP simple binds over a non-SSL/TLS connection, the directory server will log a summary event 2888 one time every 24 hours when such bind attempts occur.

    Might help you identify clients and if required reach out to various vendors to ask what the plan is
     
    qwertylesh likes this.
  8. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    37,500
    Location:
    Brisbane
    January 2020: Python 2 EOL, Win7 EOL, Server2008R2 EOL, LDAP non-TLS EOL.

    Gonna be one hell of a party.

    (In b4 "security updates broke our business; disable all security updates!")
     
    Last edited: Sep 12, 2019
    2SHY and NSanity like this.
  9. power

    power Member

    Joined:
    Apr 20, 2002
    Messages:
    59,408
    Location:
    brisbane
    but it wasn't broken!
     
    elvis likes this.
  10. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,717
    Number of simple binds performed without SSL/TLS: 364379
    Number of Negotiate/Kerberos/NTLM/Digest binds performed without signing: 16800

    :tired:
     
    NSanity and elvis like this.
  11. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,680
    Location:
    Canberra
    At a high level. Stand up an enterprise root ca, loop it into AD, export the public cert for your root, and then import that into the trusted store of said device trying to do LDAP lookups.

    Now because you have an enterprise root ca, it will automatically issue certs to the DC's and they will start using those. Also it should just distribute your root cert to every domain joined device via gpo. because you uploaded the public root ca cert to your device it now trusts the DC is whom it says it is.

    In reality, there is a few more thing you should consider in terms of PKI design, lifecycle, heirachy, etc. Sha2 signing, subjectaltname vs commonname and a bunch of other shit

    Phone dudes who do lookups against small ad domains are fucked. I super feel for you.
     
    Last edited: Sep 12, 2019
    BAK likes this.
  12. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,183
    Location:
    Brisbane
    So are Printers that use LDAP
     
    freaky_beeky and NSanity like this.
  13. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,717
    .local :)
     
  14. OP
    OP
    NSanity

    NSanity Member

    Joined:
    Mar 11, 2002
    Messages:
    17,680
    Location:
    Canberra
    It's a private CA, who cares
     
  15. elvis

    elvis Old school old fool

    Joined:
    Jun 27, 2001
    Messages:
    37,500
    Location:
    Brisbane
    Imma sell me some Samba4 appliances to SMB for a small fortune. Cha-ching!
     
    phrosty-boi and Hive like this.
  16. chook

    chook Member

    Joined:
    Apr 9, 2002
    Messages:
    1,272
    Makes me think of all the customers I have installed their software solutions and recommended they use this for the queries we send to their DC only to be told that it is too hard. Looking forward to getting paid to go back and do it properly next year.
     
  17. Gunna

    Gunna Member

    Joined:
    Dec 25, 2001
    Messages:
    7,183
    Location:
    Brisbane
    If the device doesn't support the import of a cert for ldap then you're shit out of luck is the way I read it. Worse still if your don't have a CA on site either.....
     
  18. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,717
    I can't find a live CA in our domain.
    We have some recently expired self signed certs on internal websites so we appear to have had one at some point but I think it may have been in a domain that was recently shut down so I'm probably looking for the wrong server.
    Anyway, this isn't within my skillset or job description to fix.
    I've put this notice in front of the right people at my place, what happens from there is up to them.

    Edit: I did take a quick look at some of our print devices and there's a section for importing certs.
     
    qwertylesh likes this.
  19. freaky_beeky

    freaky_beeky Member

    Joined:
    Dec 2, 2004
    Messages:
    1,144
    Location:
    Brisbane
    FYI a "self-signed cert" doesn't require PKI, you can just create one, (hence self-signed).

    e.g. Powershell
    Code:
    PS C:\> New-SelfSignedCertificate -DnsName "www.fabrikam.com", "www.contoso.com" -CertStoreLocation "cert:\LocalMachine\My"
    
     
  20. looktall

    looktall Working Class Doughnut

    Joined:
    Sep 17, 2001
    Messages:
    24,717
    it might not be self signed. i just assumed as much.
    In the certification path the certificate came from a server which has a naming scheme that matches out servers (and appears to be a CA based on that name) but that server doesn't exist in the domain.
     

Share This Page

Advertisement: