unsigned LDAP

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

unsigned LDAP

Hi,

As we know Microsoft is going to disable use of unsigned LDAP port 389 in March 2020.

Fortunately I don't have LDAP profile on my PA firewall but I have Kerberos. Will there be any impact ? and do I have to change it ?

 

Thank you

Konrad

1 accepted solution

Accepted Solutions

L0 Member

Hey Konrad,

 

For this one, you'll want to go to your Windows Servers, go to Start > type Event Viewer, and find the Event ID 2886 + 2889 events. To see the 2889 events, you'll need to turn on a certain logging level for Event ID 2889, and then find the Event ID 2889 events in Event Viewer.

Any Event ID 2889 events in Event Viewer on Windows Server you see indicate that some device in your organization/network is performing LDAP bindings to the LDAP Server via a SASL bind without requesting signing or is performing simple binding over clear text.

 

Here's how to turn on logging for and find the 2889 events:

https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dc...

Example of that Event ID 2889 at 2:40 in below video:
https://www.youtube.com/watch?v=rijhmYIzwwg

 

So, if you see a 2889 Event ID which shows your Firewall is trying to connect to the Windows Server using an unsigned/simple bind, then you will want to implement LDAPS on your Firewall and Windows Server:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0

 

Event ID 2886 will also help you identify how many things total in your environment are binding to your LDAP using unsecured/simple/unsigned bindings.

 

In case you need them for further investigation/guidance, here is the general info put out by Microsoft for the upcoming March 2020 change from LDAP to LDAPS or secure LDAP:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

View solution in original post

2 REPLIES 2

Cyber Elite
Cyber Elite

if you were to choose to enable ldap you'd need to enable ssl (tls) and use port 636

since you're using kerberos, nothing changes

Tom Piens
PANgurus - Strata specialist; config reviews, policy optimization

L0 Member

Hey Konrad,

 

For this one, you'll want to go to your Windows Servers, go to Start > type Event Viewer, and find the Event ID 2886 + 2889 events. To see the 2889 events, you'll need to turn on a certain logging level for Event ID 2889, and then find the Event ID 2889 events in Event Viewer.

Any Event ID 2889 events in Event Viewer on Windows Server you see indicate that some device in your organization/network is performing LDAP bindings to the LDAP Server via a SASL bind without requesting signing or is performing simple binding over clear text.

 

Here's how to turn on logging for and find the 2889 events:

https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dc...

Example of that Event ID 2889 at 2:40 in below video:
https://www.youtube.com/watch?v=rijhmYIzwwg

 

So, if you see a 2889 Event ID which shows your Firewall is trying to connect to the Windows Server using an unsigned/simple bind, then you will want to implement LDAPS on your Firewall and Windows Server:

https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0

 

Event ID 2886 will also help you identify how many things total in your environment are binding to your LDAP using unsecured/simple/unsigned bindings.

 

In case you need them for further investigation/guidance, here is the general info put out by Microsoft for the upcoming March 2020 change from LDAP to LDAPS or secure LDAP:

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirem...

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

  • 1 accepted solution
  • 4073 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!