Support for March 2020 LDAP channel binding and LDAP signing requirement for Windows

Microsoft has released a security update in March 2020 to add additional audit events, logging and a remapping of Group Policy values to help organizations identify and address insecure LDAP communications.


According to Microsoft, this update will not enable LDAP Signing or Channel Binding by default:

“Important: The March 10, 2020 updates, and updates in the foreseeable future, will not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.”


Numecent recommends enabling the security settings defined in the update to harden security, but all supported Cloudpaging Server versions at the time of this writing (Cloudpaging Server 9.0.6 and up) will support the new update with no changes needed to the Cloudpaging Server environment.


If you enable the security settings, then when enabling the Domain controller: LDAP server signing requirements Group Policy, LDAPS will need to be used to connect to Active Directory from the Cloudpaging Server. If it is not possible to use LDAPS in your environment, then the Domain controller: LDAP server signing requirements Group Policy will need to be set to default or disabled for Cloudpaging Server’s Enterprise Portal to authenticate with Active Directory.


Important: If the Domain controller: LDAP server signing requirements Group Policy is enabled then a LDAPS URL will need to be defined in the Enterprise Portal’s Active Directory Configuration under the LDAP URL configuration setting. (example: ldaps://domaincontroller. domain.com)


Cloudpaging Server versions prior to Cloudpaging Server 9.3 have not been thoroughly tested on complex AD environments with the Domain controller: LDAP server signing requirements Group Policy enabled, therefore deployments involving multiple domains and child domains should use Cloudpaging Server 9.3.0 or later releases.


NOTE: The information provided is based on the security advisory provided by Microsoft at the time of writing. Please regularly check the following security advisory link from Microsoft on what is changing in the March 2020 update and beyond.  https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows