2020 LDAP channel binding and LDAP signing requirement for Windows

Find more details in my blog for Altaro.

In summer 2019 Microsoft announced an update scheduled for January 2020 that would change the default behavior of domain controllers with regards to the security of LDAP communications. After this change, domain controllers will reject insecure LDAP communications regarding LDAP signing and LDAP Channel binding. To quote Microsoft:

…reject Simple Authentication and Security Layer (SASL) LDAP binds that do not request signing (integrity verification) or to reject LDAP simple binds that are performed on a clear text (non-SSL/TLS-encrypted) connection.

The change has been delayed to March 2020 to wait after the 2019 holidays. Many administrators restrict configuration changes during the holiday season and they needed to give them more time to prepare and test…

EDIT 14/02/2020:

Microsoft pushed the date to later in 2020 in an updated advisory ADV190023 stating that:

…The Updates in March 2020 add new audit events, additional logging, and a remapping of Group Policy values that will enable hardening LDAP Channel Binding and LDAP Signing. The March 2020 updates do not make changes to LDAP signing or channel binding policies or their registry equivalent on new or existing domain controllers.

The change that will enable LDAP signing and channel binding on domain controllers configured with default values is now scheduled for ‘the second half of calendar year 2020’.

vCenter

If your identity sources are configured as “Active Directory (Windows integrated)” or “LDAPS” you don’t need to change anything.

If you have an identity source configured with “simple” LDAP you will face failed logins after the update. You need to enable LDAPS. To enable LDAPS you will need the certificates of the domain controllers, the procedure is described here.

Horizon

The VDI solution is compatible with the update so nothing to do here. However you need to ensure that Horizon connects to vCenter using a secure identity source, otherwise the vCenter object will be in red in the Horizon manager health pane.

App Volumes

EDIT 03/02/2020:

As I observed in my lab, App Volumes is not compatible with Channel binding as of version 2.18. See KB77093. VMware is working on a fix, in the meantime it is recommended by VMware to set the registry key LdapEnforceChannelBinding to 0.

Like with vCenter, you need to enable LDAPS or TLS encryption in the AD domain pane. Otherwise you will also fail to connect to it using domain credentials. Find the procedure to enable LDAPS here. Note that it is recommended to enable certificate verification but it will still work without it.

Other software

This does not only affect VMware but any solution that talks with a Windows domain controller. Microsoft explains here who to identify who in your network is making insecure communications.