- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
02-05-2020 06:40 AM
Hi,
As we know Microsoft is going to disable use of unsigned LDAP port 389 in March 2020.
Fortunately I don't have LDAP profile on my PA firewall but I have Kerberos. Will there be any impact ? and do I have to change it ?
Thank you
Konrad
02-12-2020 07:12 AM
Hey Konrad,
For this one, you'll want to go to your Windows Servers, go to Start > type Event Viewer, and find the Event ID 2886 + 2889 events. To see the 2889 events, you'll need to turn on a certain logging level for Event ID 2889, and then find the Event ID 2889 events in Event Viewer.
Any Event ID 2889 events in Event Viewer on Windows Server you see indicate that some device in your organization/network is performing LDAP bindings to the LDAP Server via a SASL bind without requesting signing or is performing simple binding over clear text.
Here's how to turn on logging for and find the 2889 events:
Example of that Event ID 2889 at 2:40 in below video:
https://www.youtube.com/watch?v=rijhmYIzwwg
So, if you see a 2889 Event ID which shows your Firewall is trying to connect to the Windows Server using an unsigned/simple bind, then you will want to implement LDAPS on your Firewall and Windows Server:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0
Event ID 2886 will also help you identify how many things total in your environment are binding to your LDAP using unsecured/simple/unsigned bindings.
In case you need them for further investigation/guidance, here is the general info put out by Microsoft for the upcoming March 2020 change from LDAP to LDAPS or secure LDAP:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
02-06-2020 01:52 PM
if you were to choose to enable ldap you'd need to enable ssl (tls) and use port 636
since you're using kerberos, nothing changes
02-12-2020 07:12 AM
Hey Konrad,
For this one, you'll want to go to your Windows Servers, go to Start > type Event Viewer, and find the Event ID 2886 + 2889 events. To see the 2889 events, you'll need to turn on a certain logging level for Event ID 2889, and then find the Event ID 2889 events in Event Viewer.
Any Event ID 2889 events in Event Viewer on Windows Server you see indicate that some device in your organization/network is performing LDAP bindings to the LDAP Server via a SASL bind without requesting signing or is performing simple binding over clear text.
Here's how to turn on logging for and find the 2889 events:
Example of that Event ID 2889 at 2:40 in below video:
https://www.youtube.com/watch?v=rijhmYIzwwg
So, if you see a 2889 Event ID which shows your Firewall is trying to connect to the Windows Server using an unsigned/simple bind, then you will want to implement LDAPS on your Firewall and Windows Server:
https://knowledgebase.paloaltonetworks.com/KCSArticleDetail?id=kA10g000000ClFVCA0
Event ID 2886 will also help you identify how many things total in your environment are binding to your LDAP using unsecured/simple/unsigned bindings.
In case you need them for further investigation/guidance, here is the general info put out by Microsoft for the upcoming March 2020 change from LDAP to LDAPS or secure LDAP:
https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!