[ZendTo] News — Microsoft enforcing LDAPS for AD servers

Martin Hepworth maxsec at gmail.com
Fri Feb 14 08:06:59 GMT 2020


Fyi looks like MS have pushed this back to second 1/2 of year
https://isc.sans.edu/forums/diary/Authmageddon+deferred+but+not+averted+Microsoft+LDAP+Changes+now+slated+for+Q3Q4+2020/25800/


Martin

On Thu, 13 Feb 2020 at 22:38, Scott Silva via ZendTo <zendto at zend.to> wrote:

> Ran openssl s_client -connect your-AD-server-here.example.com:636 (fixing
> actual name)
> On my spamfilter linux box that DOES work I see a bunch of root
> certificates loaded on the system...
> I wonder if that is one of the issues it doesn't seem to work on the
> CentOS Zendto box
> The working system is Debian I believe...
>
>
>
> From: ZendTo <zendto-bounces at zend.to> On Behalf Of Jules Field via ZendTo
> Sent: Wednesday, February 12, 2020 7:24 AM
> To: ZendTo Users <zendto at zend.to>
> Cc: Jules Field <Jules at Zend.To>
> Subject: Re: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
>
> Karl,
>
> Given that it was a could-not-connect-at-all issue, then it's most likely
> either
> a) incoming firewall on the AD server not listening on the correct LDAPS
> ports (636/tcp IIRC),
> or
> b) the SSL/TLS handshake between the ZendTo server and the AD Server is
> failing. This is most often caused by people using locally-signed certs on
> their AD servers, at which point the ZendTo server will need to be given a
> copy of the Root CA cert for your locally-signed certs. Just like you would
> need to give it to a web browser in order to avoid the errors when you
> browse to a website which is signed with a locally-signed cert.
>
> A good command to test the SSL/TLS handshake from your ZendTo server is
> this:
>
>     openssl s_client -connect your-AD-server-here.example.com:636
>
> That should print out all sorts of nice looking things and not any error
> messages. When it's stopped outputting, just Ctrl-C it.
>
> Cheers,
> Jules.
> On 10/02/2020 17:47, Karl Bundy via ZendTo wrote:
> I also am running RedHat7/CentOS7 and having the same issue.  Nothing
> seems to output any helpful logs to help troubleshoot the source of the
> issue (cert issue, missing packages, etc.)  Any suggestions would be
> appreciated!
>
> Thanks,
>
> Karl Bundy
>
> -----Original Message-----
> From: ZendTo [mailto:zendto-bounces at zend.to] On Behalf Of Scott Silva via
> ZendTo
> Sent: Monday, February 10, 2020 10:38 AM
> To: 'ZendTo Users' mailto:zendto at zend.to
> Cc: Scott Silva mailto:ssilva at sgvwater.com
> Subject: Re: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
>
> Running on Redhat 7
>
> Made changes to /etc/openldap/ldap.conf
> Made changes to preferences.php
> Get login error
>         LDAP Error
>         Check User: Unable to connect to any of the authentication
> servers; could not authenticate user. Please notify the system
> administrator.
>         Authentication Error
>         The username or password was incorrect.
> Found I did not have gnutls installed, and thought it might be required.
> Not sure how else to test...
> Maybe a list of packages that might be required?
>
>
>
> From: ZendTo mailto:zendto-bounces at zend.to On Behalf Of Jules via ZendTo
> Sent: Saturday, February 8, 2020 9:29 AM
> To: ZendTo Users mailto:zendto at zend.to
> Cc: Jules mailto:Jules at Zend.To
> Subject: [ZendTo] News — Microsoft enforcing LDAPS for AD servers
>
> Microsoft are about to enforce the use of LDAPS (removing unencrypted
> LDAP) when checking user credentials against an AD server.
>
> This needs a couple of minor changes to your ZendTo server.
>
> I have written up some simple instructions here
>     https://zend.to/activedirectory.php
> which certainly appear to work for me.
>
> I strongly advise you make the changes and test the resulting service
> before Microsoft release the patch that enforces the need for this. It
> should cause no harm except to improve the security of communications
> between ZendTo and your AD server.
>
> Any comments / problems / questions, please do let me know straightaway!
>
> Cheers,
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> The current UK shipping forecast:
> Irish Sea: Southwest 4 or 5, becoming cyclonic 6 to gale 8, then north 4
> to 6.
> Slight or moderate, occasionally rough in south. Rain. Good, occasionally
> poor.
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
> _______________________________________________
> ZendTo mailing list
> mailto:ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
>
> Jules
>
> --
> Julian Field MEng CEng CITP MBCS MIEEE MACM
>
> 'A good programmer is someone who always looks both ways
>  before crossing a one-way street.' - Doug Linder
>
> http://www.Zend.To
> Twitter: @JulesFM
> _______________________________________________
> ZendTo mailing list
> ZendTo at zend.to
> http://jul.es/mailman/listinfo/zendto
>
-- 
-- 
Martin Hepworth, CISSP
Oxford, UK
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://jul.es/pipermail/zendto/attachments/20200214/a0bae6bf/attachment-0001.html>


More information about the ZendTo mailing list