Site icon BLOGS

ADV190023 – Enable LDAPS in Windows DC and Citrix ADC

by Manuel Winkel, CTA

Important Info:
The scheduled update (ADV190023), regarding LDAP Signing and Channel Binding for new and existing domain controllers, scheduled for March 10, 2020, has been postponed to the second half of calendar year 2020. The March 2020 update will only provide additional auditing capabilities to identify and configure LDAP systems before they become inaccessible with the later update.


The later update results in no more connections to the domain controller, via unsigned / Clear Text LDAP on port 389.
Then it is only possible to use either LDAPS via port 636 or Signed LDAP (StartTLS) on port 389.


Affected Domain Controller Versions


Affected LDAP Clients

The topic concerns not only the Microsoft environment, but all systems that serve as LDAP client and send LDAP requests. The following is a small list of systems that occurred to me:

Some manufacturers, e.g. IGEL, have already reacted and it is now possible to switch the connection to LDAPS via the GUI of the UMS console.


How can I check if unsigned LDAP is used?

The first step to determine if the environment is affected by the transition, is to scan the event logs on the Active Directory server for event IDs 2886, 2887 and 2888. After installing the March updates, the event IDs 3039, 3040 and 3041 still point to unsecured LDAP traffic. All event IDs can be found under Applications and Services Logs / Directory Service.

This is checked manually on all DCs or by the script entered below, which performs the manual steps for you.


LDAP signing events

Following are the event logs regarding LDAP signing.

  Description Trigger
2886 The security of these domain controllers can be significantly improved by configuring the server to enforce validation of LDAP signing. Triggered every 24 hours, on startup or start of service if the Group Policy is set to None. Minimum Logging Level: 0 or higher
2887 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered every 24 hours when Group Policy is set to None and at least one unprotected bind was completed. Minimum Logging Level: 0 or higher
2888 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered every 24 hours when Group Policy is set to Require Signing and at least one unprotected bind was rejected. Minimum Logging Level: 0 or higher
2889 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered when a client does not use signing for binds on sessions on port 389. Minimum Logging Level: 2 or higher


If event 2886 is present on a domain controller, this indicates that signed LDAP is not forced by the DCs and it is possible to perform a simple (Clear Text) LDAP binding over an unencrypted connection. The security option “Domain controller: LDAP server signing requirements” is then configured to “None“.


The next checkpoint is event 2887, this event ID occurs every 24 hours and reports how many unsigned and clear text connections to the DC have occurred.


If the Active Directory servers are configured to reject unsigned or simple LDAP connections over a non-SSL/TLS connection, the Active Directory servers log these attempts and write a summary to the event log every 24 hours under event ID 2888.


Changes with March Update

Important:
The March 10, 2020 updates do not change the default policies for LDAP signing or LDAP channel binding on new or existing Active Directory domain controllers.

It only adds the following functions:


LDAP Channel Binding events

Following are the new events that will be released with the March update.

Event Description Trigger
3039 The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation. Triggered when a client attempts to bind without valid CBT. Minimum logging level: 2

Note Event can only be generated when Channel Binding is set to When Supported or Always
3040 During the previous 24 hour period, # of unprotected LDAPs binds were performed. Triggered every 24 hours when CBT Group Policy is set to Never and at least one unprotected bind was completed. Minimum logging level: 0
3041 The security of this directory server can be significantly improved by configuring the server to enforce validation of LDAP channel binding tokens. Triggered every 24 hours, on startup or start of service if the CBT Group Policy is set to Never. Minimum logging level: 0


Activation LDAP Event Diagnostic Logging

With the event IDs mentioned above we only get the information that we still receive Clear Text LDAP requests to the domain controller, but not who is sending them. To change this we can increase the log level on our domain controller to see who requested the Clear Text LDAP connection (Event ID 2889).


Enable LDAP Event Diagnostic Logging

Copy the bottom line into a REG file and execute it on the DC. No restart is required.

# Enable Simple LDAP Bind Logging
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2


Disable LDAP Event Diagnostic Logging

Copy the bottom line into a REG file and execute it on the DC to disable it again.

# Disable Simple LDAP Bind Logging.
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0

Note:
It may be necessary to replace the double quotation marks after copying and pasting.

After activation of the extended log level, an event with the ID 2889 is created for each access via Clear Text LDAP (under Applications and Services Logs / Directory Service). These events contain which IP addresses and which user accounts have established this connection.

PowerShell script for testing the DCs

To make it easier to check the environment, I have adapted the following PowerShell scripts by Arne Tiedemann to the Microsoft March Updates.

Only the event entries are counted and you will not get any further information from this file!

To get more information, like user account or IP address of the LDAP client, you have to execute the script ActiveDirectory-LDAPInterfaceEventLogging.ps1

The script will detect if you have run one of the two available scripts in the last 15 minutes and would not search all DCs for the known events again.


It uses the created InsecureLDAPCount.csv file to identify the affected DCs and, based on the list, starts the increased log level for 30 minutes on the DCs. As a result, you will get a detailed list for each affected DC with the following information.

DomainController – LDAP Client IP-Address – Port – User – BindType

If the increased log level should not run for 30 minutes, the time can be adjusted with the following parameters.

.\ActiveDirectory-LDAPInterfaceEventLogging.ps1 -Runtime "Minutes"

Action plan for ADV190023

  1. Install the March Windows Updates
  2. Check environment automatically via script or with the following manual steps
    • Configure LDAP Event Diagnostic Logging to 2 or higher
    • Monitor the event log under Applications and Services Logs / Directory Service on all domain controllers
      • LDAP Signing failure event 2887
      • LDAP Channel Binding failure event 3040

        Note:
        Event 3039 can only be generated if Channel Binding is set to When Supported or Always.
  3. Identify the devices for each IP address named at Event 2887 (unsigned LDAP) or Event 3039 (no LDAP Channel Binding)
  4. Enable LDAPS on domain controller (Signed LDAP is always accepted and should not be set to Required in the phase)
  5. Enable LDAPS or Signed LDAP (StartTLS) on the mentioned devices

Activation LDAPS & Signed LDAP (StartTLS) on DC

Short guide to enable LDAPS & Signed LDAP (StartTLS) on your domain controllers.

Method 1

The first method is the simplest:
The DC automatically accept LDAPS & Signed LDAP (StartTLS) if a Microsoft Enterprise Root CA is installed on a domain controller. If the Active Directory Certificate Services (AD CS) role is installed and the type of CA setup on the DC is specified as “Enterprise”, all DCs in the overall structure are automatically configured to accept both.

Note:
Although it’s generally a good thing to have a CA in the organization, placement on the DC is not a good idea overall.

Method 2

In most cases a certificate is used where the root CA is not located on a DC. So the second method is to simply put a certificate (Server Authentication enabled) on each DC.

Important
:
Remember that regardless of which CA is used to obtain this certificate, both the DCs and the systems running the LDAP client application must trust this certificate.


Note
:
For a Windows Server 2008 / R2 / 2012 DC, the certificate must be imported into the AD DS Personal Store (NTDS\Personal).
For older servers (older than 2003 R2) the certificate must be imported into the Computer Personal Store.
For Windows Server 2016 & 2019 both methods work.


Requirements


Publication of a compatible Certificate Template

We need a certificate template that supports Server Authentication and has an Exportable private key.

It is not necessary to use the Web Server template. You can create your own template or use one of the other existing templates that have server authentication as their purpose.

Note:
If the certificate template is to be used for wildcards, Supply in the request must be selected here

Requesting a Server Authentication Certificate

For LDAPS we can use either a SAN certificate or a Wildcard certificate. Both types of certificates must be created with Server Authentication permission. Follow these instruction for either SAN certificate or Wildcard certificate.


Request SAN Certificate

Perform these steps for each domain controller.

Request Wildcard Certificate

If a load balancer (e.g. Citrix ADC) is used in front of the domain controllers, not every DC has to receive its own certificate. Only the load balancer needs a certificate (e.g. Wildcard certificate), which is then imported and accepted on all DCs.


This only need to be done once for all DCs.

Export the LDAPS certificate

The following steps show how to export an LDAPS-enabled certificate from the local certificate store of a domain controller. The following steps apply to Wildcard and SAN certificates.



Import for use with AD DS

The certificate must now be imported into the certificate store of the Active Directory Domain Services (NTDS\Personal). This step must be performed for each domain controller that is to provide LDAPS. These certificates must be manually renewed when they expire. The following steps apply to Wildcard and SAN certificates.

Note:
The following steps must be performed on Windows Server 2008 / R2 / 2012 DCs.
For Windows Server 2016 & 2019 the following steps are optional.



Checking the connections

After installing a certificate, perform the following steps to verify that LDAPS and Signed LDAP (StartTLS) are working.






Check without certificate

For test cases you can delete the imported certificate from the DC again or connect against a DC without certificate. There you can try to establish the same connections.





Configure Citrix ADC

As mentioned above, the Citrix ADC with its DC connections may be affected by the upcoming change. Therefore here is a short instruction to change the required settings in the Citrix ADC.

Requirements

Authentication LDAPS Server









Another advantage of switching to LDAPS is that the user can change his password independently.


CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Authentication Server IP> -serverPort 636 -secType SSL

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.4 -serverPort 636 -secType SSL


Authentication Signed LDAP (StartTLS) Server





If the firewalls are not to be adjusted, Signed LDAP (StartTLS) can also be used in the Citrix ADC.




CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Authentication Server IP> -serverPort 389 -secType TLS

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.4 -serverPort 389 -secType TLS


Load Balanced LDAPS Server

TCP or SSL_TCP can be selected as Load Balancing Protocol for LDAPS. SSL_TCP is recommended for higher compatibility (e.g. with Linux appliances) (SSL termination is done on the Citrix ADC).

For existing LDAP load balancing, the following must be recreated for LDAPS:


Configuration LDAPS Monitor


CLI Command

add lb monitor <Monitor Name> -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password <Password für Bind DN Benutzer> -secure YES -baseDN "<Base DN Pfad>" -bindDN "<Service Account für Connect>" -filter cn=builtin

Example:
add lb monitor LDAPS -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Password1 -secure YES -baseDN "dc=deyda,dc=local" -bindDN "service_ldap@deyda.local" -filter cn=builtin


Configuration of the LDAPS Service Group













CLI Command

add serviceGroup <Service Group Name> SSL_TCP
bind serviceGroup <Service Group Name> <Server Name> 636
bind serviceGroup <Service Group Name> <Server Name> 636
bind serviceGroup <Service Group Name> -monitorName <Monitor Name>

Example:
add serviceGroup LDAPS-svc_group SSL_TCP
bind serviceGroup LDAPS-svc_group 10.0.0.4 636
bind serviceGroup LDAPS-svc_group 10.0.0.5 636
bind serviceGroup LDAPS-svc_group -monitorName LDAPS


Configuration of the LDAPS virtual Server










CLI Command

add lb vserver <Load Balancing Name> SSL_TCP <Load Balancing IP Adresse> 636 -persistenceType NONE -cltTimeout 9000 bind lb vserver <Load Balancing Name> <Service Group Name>

Example:
add lb vserver LDAPS-LB SSL_TCP 10.0.0.200 636 -persistenceType NONE -cltTimeout 9000 bind lb vserver LDAPS-LB LDAPS-svc_group


Configuration of the LDAPS Authentication Server







Another advantage of switching to LDAPS is that the user can change his password independently.


CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Load Balancing IP Adresse> -serverPort 636 -secType SSL

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.200 -serverPort 636 -secType SSL


Load Balanced Signed LDAP (StartTLS)

If the firewalls should not be changed, Signed LDAP (StartTLS) should be used in the Citrix ADC. Nothing need to be adjusted in the load balancing chain for this, because port 389 is still used.








CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Load Balancing IP Adresse> -serverPort 389 -secType TLS

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.200 -serverPort 389 -secType TLS

You can visit me on my website: https://www.deyda.net or follow me on twitter: Manuel Winkel.

Exit mobile version