Microsoft has announced that they will be implementing a change that will, by default, enable LDAP channel binding and LDAP signing. Technical details and background information is described in the Microsoft Articles linked below.
- Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
- 2020 LDAP channel binding and LDAP signing requirement for Windows
- LDAP Channel Binding and LDAP Signing Requirements – March update default behavior
This change is being implemented by Microsoft in the second half of calendar year 2020, and will improve the security of authentication requests to a Windows LDAP server (in most cases Domain Controllers), as well as reduce the likelihood of successful man-in-the-middle attacks.
What is the impact of this change?
If secure encrypted TLS connection to Active Directory is not used, you will be impacted. The change to require LDAP signing will cause any LDAP bind operations that are unsigned or performed over a clear text (non-SSL/TLS) connection to fail.
What can you do?
Administrators can prevent the feature update from making these change either by enabling LDAP signing and channel binding NOW or by configuring non-default values prior to installing updates that enable LDAP signing and channel binding by default. However, in all cases, a reconfiguration of the LDAP connection settings on devices or software applications may be required.