LDAP channel binding and LDAP signing provide ways to increase the security for communications between LDAP clients and Active Directory domain controllers. A set of unsafe default configurations for LDAP channel binding and LDAP signing exist on Active Directory Domain Controllers that let LDAP clients communicate with them without enforcing LDAP channel binding and LDAP signing. This can open Active directory domain controllers to elevation of privilege vulnerabilities.
In an upcoming release, Microsoft will provide a Windows update that by default will change the LDAP channel binding and LDAP signing to more secure configurations. When the update is available, customers will be notified via a revision to this advisory.
For security reasons, Microsoft will no longer support LDAP by default.
Due to the usage of .NET Framework EASY for Exchange does support the secured connection using LDAPS from the beginning. To secure your connection you just have to pursue the following instructions.
Adjustments in EASY for Exchange for LDAPS
EASY for Exchange Configuration Center
EASY for Exchange does not require an update for LDAPS. You only need to change the configuration of Active Directory controllers in the EASY for Exchange Configuration Center.
To do so, open the E4E Configuration Center and navigate to your server farm. Here, the configuration for each Active Directory controller must now be adjusted; there is one AD controller for each Exchange Server created. You can find this in the tab “General”:
For an LDAPS connection, enable SSL and use port 636 or to access the global catalog server (GC), port 3269.
Save your changes at the bottom right.
Certificate of the Active Directory Controller
Usually the required certificates are already known on the member servers. If errors occur when connecting via LDAPS, please check the certificates on the participating servers.
The certificate must be issued for the “server authentication” and must contain the server name and the FQDN as “DNS name” entry.
Adjustments in EASY Archive
Please also note that EASY for Exchange uses the LDAP interface in EASY Archive. To activate LDAPS in EASY archive, please check the settings according to the chapter “Directory services” in the EASY archive documentation.