iX Information Library

A one-stop shop for product information.

Technical Library Doc: Microsoft LDAP defaults 2020

LDAP channel binding and LDAP signing provide ways to increase the security of network communications between an Active Directory Domain Services (AD DS) or an Active Directory Lightweight Directory Services (AD LDS) and its clients. There is a vulnerability in the default configuration for Lightweight Directory Access Protocol (LDAP) channel binding and LDAP signing and may expose Active directory domain controllers to elevation of privilege vulnerabilities. “ – Microsoft

Beginning in March 2020, Microsoft has enabled LDAP channel binding and LDAP signing support by default in these products:

  • Windows Server 2008 SP2
  • Windows 7 SP1
  • Windows Server 2008 R2 SP1
  • Windows Server 2012
  • Windows 8.1
  • Windows Server 2012 R2
  • Windows 10 1507
  • Windows Server 2016
  • Windows 10 1607
  • Windows 10 1703
  • Windows 10 1709
  • Windows 10 1803
  • Windows 10 1809
  • Windows Server 2019
  • Windows 10 1903
  • Windows 10 1909

This change impacts LDAP communication between the FreeNAS or TrueNAS server and the Domain Controllers in the Active Directory domain. This could cause interruption or connection lost between FreeNAS or TrueNAS and the Active Directory. Specifically, any Windows system from the above list that installs the March 2020 update can see this default behavior:

  • Channel binding information must be provided from the Windows client to the server.
  • Domain Controllers require signing
  • Servers and clients require signing

For more details about this change to Windows, please see Microsoft’s article about LDAP Channel Binding and LDAP Signing Requirements.

This Microsoft change to the default behavior has been addressed in the upcoming 11.2-U8 release, and has already been addressed in the FreeNAS 11.3-Release. The methods of communicating with the Domain Controller now use strong authentication. The strong authentication methods are either SSL-encrypted transport or signed sasl_gssapi bind (Kerberos).

It is strongly recommended that all TrueNAS and FreeNAS systems that use LDAP and/or Active Directory are updated to 11.3-RELEASE or 11.2-U8. This will prevent the new Windows security defaults from disrupting your Active Directory connectivity.

iXsystems values privacy for all visitors. Learn more about how we use cookies and how you can control them by reading our Privacy Policy.