“LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities. “ – Microsoft
Beginning in March 2020, Microsoft has enabled LDAP channel binding and LDAP signing support by default in these products:
This change impacts LDAP communication between the FreeNAS or TrueNAS server and the Domain Controllers in the Active Directory domain. This could cause interruption or connection lost between FreeNAS or TrueNAS and the Active Directory. Specifically, any Windows system from the above list that installs the March 2020 update can see this default behavior:
For more details about this change to Windows, please see Microsoft’s article about LDAP Channel Binding and LDAP Signing Requirements.
This Microsoft change to the default behavior has been addressed in the upcoming 11.2-U8 release, and has already been addressed in the FreeNAS 11.3-Release. The methods of communicating with the Domain Controller now use strong authentication. The strong authentication methods are either SSL-encrypted transport or signed sasl_gssapi bind (Kerberos).
It is strongly recommended that all TrueNAS and FreeNAS systems that use LDAP and/or Active Directory are updated to 11.3-RELEASE or 11.2-U8. This will prevent the new Windows security defaults from disrupting your Active Directory connectivity.