LDAP Channel binding & signing

Our VPN users authenticate against the. Active Drectory.
Since Microsoft is enforcing LDAP Channel binding and signing shortly I found Event 2889 for the VPN users. This indicates they are using simple authentication.
Does Firebox support LDAP Channel binding & signing? How can I activate?

Answers

  • You can select LDAPS on your XTM AD settings.
    I believe that this addresses this issue.

  • LDAP signing and LDAPS are different.
    LDAPS requires certificates. Using it entails a siew of changes (CA etc.).
    Activating LDAPS in AD settings leads to authentication failure.
  • edited October 2020

    LDAP signing is not supported.
    If you do not want to install ADCS, even though it is cool for a lot of other stuff, you can add a self signed certificate. Then restart the NTDS service to have LDAPS on that domain controller.

    I use the few lines of powershell below to add and trust the certificate (had to remove my comments, my hashtags screwed with the formatting here):

    $DNSName = [System.Net.Dns]::GetHostByName($env:computerName).hostname;$DNSName
    $NewCert = New-SelfSignedCertificate -Subject $DNSName -DnsName $DNSName -NotAfter (Get-Date).AddYears(5) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -Friendlyname "SelfSigned $DNSName"

    If (-not (Test-Path c:\Temp)) {md c:\Temp}
    Export-Certificate -Cert cert:\LocalMachine\My\$($NewCert.Thumbprint) -FilePath C:\Temp\ldaps.cer

    Import-Certificate -FilePath C:\Temp\ldaps.cer -CertStoreLocation Cert:\LocalMachine\Root

Sign In to comment.