2020 LDAP channel binding and LDAP signing & LANSweeper

tylerlindberg2 · ‎02-28-2020

We currently use LANSweeper that’s integrated with Active Directory, I wanted to check with you guys regarding the recent changes and push to LDAPS as regards to (https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows).

Will the above change effect LANSweeper? Even if it does not, how can we migrate to Secure LDAP (LDAPS), if it's not being used.

grimstar · ‎03-18-2020

This shouldn't be considered a customer wish list item, it should just be done.

The current guidance from Microsoft is open ended. They originally planned on enforcing this protocol change in March, but after feedback from the community, simply made it available with the comment that more information would be provided later in the year. It still stands to reason that Microsoft will enforce this change at a later date. If you don't have the change in place at that time, you'll find that your company is having a very bad day because someone wanted to wishlist this item instead of adding it to a more concrete list of necessary implementations.

Bruce_B · ‎03-18-2020

RKCar wrote:
This shouldn't be considered a customer wish list item, it should just be done.

The current guidance from Microsoft is open ended. They originally planned on enforcing this protocol change in March, but after feedback from the community, simply made it available with the comment that more information would be provided later in the year. It still stands to reason that Microsoft will enforce this change at a later date. If you don't have the change in place at that time, you'll find that your company is having a very bad day because someone wanted to wishlist this item instead of adding it to a more concrete list of necessary implementations.

The change that was originally to be pushed this March and was pushed to a later date did not yet involve enforcing LDAPS. The security patch involved setting CBT to an intermediate level and disabling simple binding. Neither of these directly affect the current functionality of Lansweeper.

That said, we are investigating implementing LDAPS support. It's of course in our own best interest as well as our customer's to ensure Lansweeper supports AD scanning going forward, even when LDAP is phased out.

ErikT · ‎03-18-2020

LDAPS is currently not yet supported so we will add it to our customer wishlist as a feature request. Features on the customer wishlist are prioritized based on a combination of customer demand and difficulty to implement. As such we can unfortunately not guarantee this will be implemented nor provide you with an expected release date.

Considering you are requesting this in the context of the March security updates as announced by Microsoft, we've performed tests on these changes. We can report that Lansweeper AD scanning, authentication through the web console and web console AD lookups all remain functional after applying the changes and are unaffected.

A bit more detail on the Microsoft security changes:

A registry change is made to enable the usage of Channel Binding Tokens (CBT), this will be set to the intermediate level (1), which enables their usage but does still allow clients that cannot provide CBT to set up connections.
https://support.microsoft.com/en-us/help/4034879/how-to-add-the-ldapenforcechannelbinding-registry-entry
2 policy changes are made, which disable simple binding.
https://support.microsoft.com/en-us/help/935834/how-to-enable-ldap-signing-in-windows-server-2008
These changes will not enforce LDAPS, Lansweeper for now only supports LDAP (389)

Goldstar · ‎03-10-2020

Hi, I have the same question.

2020 LDAP channel binding and LDAP signing & LANSweeper

General Discussions

New to Lansweeper?

Try Lansweeper For Free