The change in the defaults for LDAP Channel Binding and LDAP Signing Requirements originally announced by Microsoft for March 2020 has been postponed by Microsoft. Customers who operate an AEB Engine, such as for Trade Compliance Management or Carrier Connect, in their own data center with LDAP are advised by AEB of this upcoming change. As a result, plain LDAP (TCP 389) will no longer work. AEB recommends that these customers change from LDAP to LDAPS. As a customer in the AEB data center, you have no need for action.
Update autumn 2021
Microsoft does not currently plan to enable LDAP channel binding and LDAP signing request (LDAPS) by default through a patch on Active Directory servers, nor does it plan to do so in the foreseeable future.
But Microsoft suggests that administrators configure LDAP signing and LDAP channel binding as recommended. Please also read: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023.
For security reasons, AEB recommends all customers who operate an AEB Engine in their own data center and who use a configured LDAP connection within this AEB product to use the time now and chnge LDAP access to LDAPS (TCP 636 SSL).
As an administrator, make the following settings in the AEB Engine:
- Open your AEB Engine. You must have administrator rights.
- In the Office, go to Administration – Connection settings – X.509 Certificates.
- Import your available certificate. You only need to import the certificate into the AEB Engine. You do not need to import the certificate on the server.
- In the Office, go to User administration – Access rights – LDAP settings.
- Click Open to open the LDAP host entry stored below.
- In the Host field, enter the host name of your domain controller.
- In the Port field, enter "636".
- Check the Use SSL box.
- Test the LDAP connection by clicking Test connection.