The change in the defaults for LDAP Channel Binding and LDAP Signing Requirements originally announced by Microsoft for March 2020 has been postponed by Microsoft. Customers who operate an AEB Engine, such as for Trade Compliance Management or Carrier Connect, in their own data center with LDAP are advised by AEB of this upcoming change. As a result, plain LDAP (TCP 389) will no longer work. AEB recommends that these customers change from LDAP to LDAPS. As a customer in the AEB data center, you have no need for action.
Microsoft is planning to enable LDAP channel binding and LDAP signing requirements (LDAPS) by default through a patch on Active Directory servers in the second half of 2020.
After installing the patch, it will no longer be possible to communicate with the Active Directory via Simple Bind Port TCP 389 to prevent passwords from being transmitted in clear text. Communication will then only take place encrypted via PortTCP 636 SSL.
Please also read: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023.
For security reasons, AEB recommends all customers who operate an AEB Engine in their own data center and who use a configured LDAP connection within this AEB product to use the time now and chnge LDAP access to LDAPS (TCP 636 SSL).
As an administrator, make the following settings in the AEB Engine:
- Open your AEB Engine. You must have administrator rights.
- In the Office, go to Administration – Connection settings – X.509 Certificates.
- Import your available certificate. You only need to import the certificate into the AEB Engine. You do not need to import the certificate on the server.
- In the Office, go to User administration – Access rights – LDAP settings.
- Click Open to open the LDAP host entry stored below.
- In the Host field, enter the host name of your domain controller.
- In the Port field, enter "636".
- Check the Use SSL box.
- Test the LDAP connection by clicking Test connection.