LDAP Channel binding & signing
Our VPN users authenticate against the. Active Drectory.
Since Microsoft is enforcing LDAP Channel binding and signing shortly I found Event 2889 for the VPN users. This indicates they are using simple authentication.
Does Firebox support LDAP Channel binding & signing? How can I activate?
Since Microsoft is enforcing LDAP Channel binding and signing shortly I found Event 2889 for the VPN users. This indicates they are using simple authentication.
Does Firebox support LDAP Channel binding & signing? How can I activate?
0
Sign In to comment.
Answers
You can select LDAPS on your XTM AD settings.
I believe that this addresses this issue.
LDAPS requires certificates. Using it entails a siew of changes (CA etc.).
Activating LDAPS in AD settings leads to authentication failure.
LDAP signing is not supported.
If you do not want to install ADCS, even though it is cool for a lot of other stuff, you can add a self signed certificate. Then restart the NTDS service to have LDAPS on that domain controller.
I use the few lines of powershell below to add and trust the certificate (had to remove my comments, my hashtags screwed with the formatting here):
$DNSName = [System.Net.Dns]::GetHostByName($env:computerName).hostname;$DNSName
$NewCert = New-SelfSignedCertificate -Subject $DNSName -DnsName $DNSName -NotAfter (Get-Date).AddYears(5) -KeyUsage DigitalSignature, KeyEncipherment -Type SSLServerAuthentication -Friendlyname "SelfSigned $DNSName"
If (-not (Test-Path c:\Temp)) {md c:\Temp}
Export-Certificate -Cert cert:\LocalMachine\My\$($NewCert.Thumbprint) -FilePath C:\Temp\ldaps.cer
Import-Certificate -FilePath C:\Temp\ldaps.cer -CertStoreLocation Cert:\LocalMachine\Root