https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/309910#M80272 <P>if you were to choose to enable ldap you'd need to enable ssl (tls) and use port 636</P><P>since you're using kerberos, nothing changes</P> Thu, 06 Feb 2020 21:52:45 GMT reaper 2020-02-06T21:52:45Z https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/309572#M80214 <P>Hi,</P><P>As we know&nbsp;Microsoft is going to disable use of unsigned LDAP port 389 in March 2020.</P><P>Fortunately I don't have LDAP profile on my PA firewall but I have Kerberos. Will there be any impact ?&nbsp;and do I have to change it ?</P><P>&nbsp;</P><P>Thank you</P><P>Konrad</P> Wed, 05 Feb 2020 14:40:34 GMT https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/309572#M80214 KonradPolakowski_OCD 2020-02-05T14:40:34Z https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/309910#M80272 <P>if you were to choose to enable ldap you'd need to enable ssl (tls) and use port 636</P><P>since you're using kerberos, nothing changes</P> Thu, 06 Feb 2020 21:52:45 GMT https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/309910#M80272 reaper 2020-02-06T21:52:45Z https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/310812#M80485 <P>Hey Konrad,</P><P>&nbsp;</P><P><SPAN>For this one, you'll want to go to your Windows Servers, go to Start &gt; type Event Viewer, and find the Event ID 2886 + 2889 events. To see the 2889 events, you'll need to turn on a certain logging level for Event ID 2889, and then find the Event ID 2889 events in Event Viewer.</SPAN><BR /><BR /><SPAN>Any Event ID 2889 events in Event Viewer on Windows Server you see indicate that some device in your organization/network is performing LDAP bindings to the LDAP Server via a SASL bind without requesting signing or is performing simple binding over clear text.</SPAN></P><P>&nbsp;</P><P><SPAN>Here's how to turn on logging for and find the 2889 events:</SPAN></P><P><SPAN><A href="https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs" target="_blank" rel="noopener">https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs</A></SPAN></P><P><SPAN>Example of that Event ID 2889 at 2:40 in below video:<BR /><A href="https://www.youtube.com/watch?v=rijhmYIzwwg" target="_blank" rel="noopener">https://www.youtube.com/watch?v=rijhmYIzwwg</A></SPAN></P><P>&nbsp;</P><P><SPAN>So, if you see a 2889 Event ID which shows your Firewall is trying to connect to the Windows Server using an unsigned/simple bind, then you will want to implement LDAPS on your Firewall and Windows Server:</SPAN></P><P><SPAN><A href="https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0" target="_blank">https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0</A></SPAN></P><P>&nbsp;</P><P><SPAN>Event ID 2886 will also help you identify how many things total in your environment are binding to your LDAP using unsecured/simple/unsigned bindings.</SPAN></P><P>&nbsp;</P><P>In case you need them for further investigation/guidance, here is the general info put out by Microsoft for the upcoming March 2020 change from LDAP to LDAPS or secure LDAP:</P><P><A href="https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows" target="_blank">https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows</A></P><P><A href="https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023" target="_blank">https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023</A></P> Wed, 12 Feb 2020 15:12:20 GMT https://live.paloaltonetworks.com/t5/general-topics/unsigned-ldap/m-p/310812#M80485 chadley 2020-02-12T15:12:20Z