ADV190023 – Enable LDAPS in Windows DC and Citrix ADC

Important Info:
The scheduled update (ADV190023), regarding LDAP Signing and Channel Binding for new and existing domain controllers, scheduled for March 10, 2020, has been postponed to the second half of calendar year 2020. The March 2020 update will only provide additional auditing capabilities to identify and configure LDAP systems before they become inaccessible with the later update.

The later update results in no more connections to the domain controller, via unsigned / Clear Text LDAP on port 389. Then it is only possible to use either LDAPS via port 636 or Signed LDAP (StartTLS) on port 389.

Affected Domain Controller Versions

• Windows Server 2019
• Windows Server 2016
• Windows Server 2012 R2
• Windows Server 2012
• Windows Server 2008 R2 SP 1
• Windows Server 2008 SP 2

Affected LDAP Clients

The topic concerns not only the Microsoft environment, but all systems that serve as LDAP client and send LDAP requests. The following is a small list of systems that occurred to me.

• Citrix Gateway
• Citrix AAA
• Citrix LoadBalancer for LDAP
• Citrix Endpoint Management
• VPN (e.g. Sophos)
• Igel UMS Console
• Ticket Systems (e.g. Remedy or Helpdesk)
• ERP /CRM Systems (e.g. SAP)
• Database Systems (e.g. Oracle)
• Webserver (e.g. TomCat or Apache)
• Security Components (Firewall or Proxy)
• Backup / Storage Repository

Some manufacturers, e.g. Igel, have already reacted and it is now possible to switch the connection to LDAPS via the GUI of the UMS console.

How can I check if unsigned LDAP is used?

The first step, to determine if the environment is affected by the transition, is to scan the event logs on the Active Directory server for event IDs 2886, 2887 and 2888. After installing the March updates, the event IDs 3039, 3040 and 3041 still point to unsecured LDAP traffic. All event IDs can be found under Applications and Services Logs / Directory Service.

This is checked manually on all DCs or by the script entered below, which performs the manual steps for you.

LDAP signing events

Following are the event logs regarding LDAP signing.

	Description	Trigger
2886	The security of these domain controllers can be significantly improved by configuring the server to enforce validation of LDAP signing.	Triggered every 24 hours, on startup or start of service if the Group Policy is set to None. Minimum Logging Level: 0 or higher
2887	The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.	Triggered every 24 hours when Group Policy is set to None and at least one unprotected bind was completed. Minimum Logging Level: 0 or higher
2888	The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.	Triggered every 24 hours when Group Policy is set to Require Signing and at least one unprotected bind was rejected. Minimum Logging Level: 0 or higher
2889	The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing.	Triggered when a client does not use signing for binds on sessions on port 389. Minimum Logging Level: 2 or higher

If event 2886 is present on a domain controller, this indicates that signed LDAP is not forced by the DCs and it is possible to perform a simple (Clear Text) LDAP binding over an unencrypted connection. The security option “Domain controller: LDAP server signing requirements” is then configured to “None“.

The next checkpoint is event 2887, this event ID occurs every 24 hours and reports how many unsigned and clear text connections to the DC have occurred.

If the Active Directory servers are configured to reject unsigned or simple LDAP connections over a non-SSL/TLS connection, the Active Directory servers log these attempts and write a summary to the event log every 24 hours under event ID 2888.

Changes with March Update

Important:
The March 10, 2020 updates do not change the default policies for LDAP signing or LDAP channel binding on new or existing Active Directory domain controllers.

It only adds the following functions:

• New events are logged in the Event Log in combination with the LDAP Channel Bindings.
• A new GPO setting “Domain controller: LDAP server channel binding token requirements” to configure LDAP channel binding on supported devices. Possible settings are None, When Supported or Always. Event ID 3039 is only created if this setting is not set to None.

LDAP Channel Binding events

Following are the new events that will be released with the March update.

Event	Description	Trigger
3039	The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation.	Triggered when a client attempts to bind without valid CBT. Minimum logging level: 2 Note Event can only be generated when Channel Binding is set to When Supported or Always
3040	During the previous 24 hour period, # of unprotected LDAPs binds were performed.	Triggered every 24 hours when CBT Group Policy is set to Never and at least one unprotected bind was completed. Minimum logging level: 0
3041	The security of this directory server can be significantly improved by configuring the server to enforce validation of LDAP channel binding tokens.	Triggered every 24 hours, on startup or start of service if the CBT Group Policy is set to Never. Minimum logging level: 0

Activation LDAP Event Diagnostic Logging

With the event IDs mentioned above we only get the information that we still receive Clear Text LDAP requests to the domain controller, but not who is sending them. To change this we can increase the log level on our domain controller to see who requested the Clear Text LDAP connection (Event ID 2889).

Enable LDAP Event Diagnostic Logging

Copy the bottom line into a REG file and execute it on the DC. No restart is required.

Disable LDAP Event Diagnostic Logging

Copy the bottom line into a REG file and execute it on the DC to disable it again.

Note:
It may be necessary to replace the double quotation marks after copying and pasting.

After activation of the extended log level, an event with the ID 2889 is created for each access via Clear Text LDAP (under Applications and Services Logs / Directory Service). These events contain which IP addresses and which user accounts have established this connection.

PowerShell script for testing the DCs

To make it easier to check the environment, I have adapted the following PowerShell scripts by Arne Tiedemann to the Microsoft March Updates.

• Connect to a domain controller
• Go to this link and download the two scripts
  (Further instructions are stored in the README.md file)
• Run the script ActiveDirectory-DCLDAPEvents.ps1 to search your domain controllers for event ID 2887 & 3040

• The script then create a CSV file (InsecureLDAPCount.csv) with the displayed information

Only the event entries are counted and you will not get any further information from this file!

To get more information, like user account or IP address of the LDAP client, you have to execute the script ActiveDirectory-LDAPInterfaceEventLogging.ps1

• Start the script on the domain controller

The script will detect if you have run one of the two available scripts in the last 15 minutes and would not search all DCs for the known events again.

It uses the created InsecureLDAPCount.csv file to identify the affected DCs and, based on the list, starts the increased log level for 30 minutes on the DCs. As a result, you will get a detailed list for each affected DC with the following information.

DomainController – LDAP Client IP-Address – Port – User – BindType

If the increased log level should not run for 30 minutes, the time can be adjusted with the following parameters.

Action plan for ADV190023

1. Install the March Windows Updates
2. Check environment automatically via script or with the following manual steps
   
   • Configure LDAP Event Diagnostic Logging to 2 or higher
   • Monitor the event log under Applications and Services Logs / Directory Service on all domain controllers
     • LDAP Signing failure event 2887
     • LDAP Channel Binding failure event 3040
       
       Note:
       Event 3039 can only be generated if Channel Binding is set to When Supported or Always.
       
3. Identify the devices for each IP address named at Event 2887 (unsigned LDAP) or Event 3039 (no LDAP Channel Binding)
4. Enable LDAPS on domain controller (Signed LDAP is always accepted and should not be set to Required in the phase)
5. Enable LDAPS or Signed LDAP (StartTLS) on the mentioned devices

Activation LDAPS & Signed LDAP (StartTLS) on DC

Short guide to enable LDAPS & Signed LDAP (StartTLS) on your domain controllers.

Method 1

The first method is the simplest:
The DC automatically accept LDAPS & Signed LDAP (StartTLS) if a Microsoft Enterprise Root CA is installed on a domain controller. If the Active Directory Certificate Services (AD CS) role is installed and the type of CA setup on the DC is specified as “Enterprise”, all DCs in the overall structure are automatically configured to accept both.

Note:
Although it’s generally a good thing to have a CA in the organization, placement on the DC is not a good idea overall.

Method 2

In most cases a certificate is used where the root CA is not located on a DC. So the second method is to simply put a certificate (Server Authentication enabled) on each DC.

Important:
Remember that regardless of which CA is used to obtain this certificate, both the DCs and the systems running the LDAP client application must trust this certificate.

Note:
For a Windows Server 2008 / R2 / 2012 DC, the certificate must be imported into the AD DS Personal Store (NTDS\Personal).
For older servers (older than 2003 R2) the certificate must be imported into the Computer Personal Store.
For Windows Server 2016 & 2019 both methods work.

Requirements

• Installed & Activated CA

Publication of a compatible Certificate Template

We need a certificate template that supports Server Authentication and has an Exportable private key.

• Connect to your server that has the AD CA role installed
• Open the Certificate Console via Start > Run and the command certsrv.msc

• Expand the display, by double clicking on the name of your CA
• Now click with the right mouse button on Certificate Templates and then on Manage

• In the Certificate Template Console, right-click on Web Server and select Duplicate Template

It is not necessary to use the Web Server template. You can create your own template or use one of the other existing templates that have server authentication as their purpose.

• In the window that appear, the duplicated template is edited. Change the following under General
  • Change the Template display name
  • Change the Validity period and Renewal period to your security parameters

• Under Request Handling click on Allow private key to be exported

• Under Subject Name select DNS name and Service principal Name (SPN)

Note:
If the certificate template is to be used for wildcards, Supply in the request must be selected here

• Under Security click Add

• In the following window click on Locations…

• Select Computers and confirm with OK

• Enter your DCs and confirm this with Check Names and OK

• Under Security click on your newly added DCs and extend the Allow permissions with Read, Write & Enroll

• Under Extensions, check again that Server Authentication is also selected as the Application Policies. Confirm the entries with OK.

• Close the Certificate Template Console
• Go back to the Certificate Console and right click in the details area of Certificate Templates
• Click here on New and then on Certificate Template to be Issue

• In the window Enable Certificate Templates select the newly created template (here Server Authentication) and click on OK

Requesting a Server Authentication Certificate

For LDAPS we can use either a SAN certificate or a Wildcard certificate. Both types of certificates must be created with Server Authentication permission. Follow these instruction for either SAN certificate or Wildcard certificate.

Request SAN Certificate

• Connect to the first DC
• Open a console there via Start > Run with the command mmc

• In the MMC console click on File and on Add/Remove Snap-in…

• In the following window select Certificates on the left side and click on Add

• In the Certificate Snap-in window, select Computer account and click Next

• Under Select Computer, select Local Computer and click Finish
• Extend the console to the folder Certificates (Local Computer) > Personal > Certificates
• Right-click on the folder and click on All Tasks and Request New Certificate

• Click the first two windows with Next through
• In the window Request Certificates select your newly created certificate template (here Server Authentication)
• Click on Enroll

• If the creation was successful, this is displayed under Status. Confirm this with Finish

• Double-click the new certificate in the results area to open the Certificate Properties dialog box

• Click on the Details tab and select the Enhanced Key Usage option. Check that Server Authentication (1.3.6.1.5.5.7.3.1) has been added

Perform these steps for each domain controller.

Request Wildcard Certificate

If a load balancer (e.g. Citrix ADC) is used in front of the domain controllers, not every DC has to receive its own certificate. Only the load balancer needs a certificate (e.g. Wildcard certificate), which is then imported and accepted on all DCs.

• Connect to the first DC
• Open a console there via Start > Run with the command mmc

• In the MMC console click on File and on Add/Remove Snap-in…

• In the following window select Certificates on the left side and click on Add

• In the Certificate Snap-in window, select Computer account and click Next

• Under Select Computer, select Local Computer and click Finish
• Extend the console to the folder Certificates (Local Computer) > Personal > Certificates
• Right-click on the folder and click on All Tasks and Request New Certificate

• Click the first two windows with Next through
• In the window Request Certificates select your newly created certificate template (here Server Authentication)
• Click on the warning notice More information is required to enroll for this certificate…
  
  Note:
  If you do not see this warning, the certificate template is not defined with Supply in the request under Subject Name in the template

• In the Certificate Properties window under the Subject tab enter the following
  • Type (Common name)
  • Value (Your domain for the Wildcard, e.g. *.deyda.local)
• Click on Add

• In the tab General enter the display name of the certificate under Friendly name (e.g. *.deyda.local)

• Check in the tab Extensions that both Digital signature & Key encipherment is selected

• Check in the Private Key tab that Make private key exportable is selected and confirm this with OK

• When all requirements are filled out click on Enroll

• If the creation was successful, this is displayed under Status. Confirm this with Finish

• Double-click the new certificate in the results area to open the Certificate Properties dialog box

• Click on the Details tab and select the Enhanced Key Usage option. Check that Server Authentication (1.3.6.1.5.5.7.3.1) has been added

This only need to be done once for all DCs.

Export the LDAPS certificate

The following steps show how to export an LDAPS-enabled certificate from the local certificate store of a domain controller. The following steps apply to Wildcard and SAN certificates.

• Connect to the first DC
• Open a console there via Start > Run with the command mmc

• In the MMC console click on File and on Add/Remove Snap-in…

• In the following window select Certificates on the left side and click on Add

• In the Certificate Snap-in window, select Computer account and click Next

• Under Select Computer, select Local Computer and click Finish
• Extend the console to the folder Certificates (Local Computer) > Personal > Certificates
• Click with the right mouse button on the previously created certificate (here DC01.deyda.net, you can recognize it by the column Certificate Template) and click on All Tasks and Export

• Click Next on the Welcome Screen of the Certificate Export Wizard
• In the Export Private Key window, select Yes, export private key and confirm with Next
  • If it is not possible to export the private key, then the wrong certificate template was selected or it was created incorrectly

• In the Export File Format window, Export all extended properties should be selected. Confirm this with Continue.
• The other selection options are optional.

• On the Security window, enter a Password to use for importing the certificate. Then click Next

• Select a path in the File to Export window via Browse and define a file name. Then click on Next

• Confirm the settings by clicking on Finish

• This is followed by a pop-up message indicating that The export was successful. Click OK.

Import for use with AD DS

The certificate must now be imported into the certificate store of the Active Directory Domain Services (NTDS\Personal). This step must be performed for each domain controller that is to provide LDAPS. These certificates must be manually renewed when they expire. The following steps apply to Wildcard and SAN certificates.

Note:
The following steps must be performed on Windows Server 2008 / R2 / 2012 DCs.
For Windows Server 2016 & 2019 the following steps are optional.

• Connect to the first DC
• Open a console there via Start > Run with the command mmc

• In the MMC console click on File and on Add/Remove Snap-in…

• In the following window select Certificates on the left side and click on Add

• In the Certificates snap-in window, select Service account and click Next

• Under Select Computer, select Local Computer and click Next
• Select Active Directory Domain Services and confirm with Finish

• Expand the console to the folder Certificates – Service (Active Directory Domain Services) > NTDS\Personal
• Right click on the NTDS\Personal folder and click on All Tasks and Import

• At the Certificate Import Wizard window click Next
• Click the Browse button in the File to Import window and then browse to the previously exported certificate file
  • Ensure that Personal Information Exchange (pfx, .p12) is selected as the file type

• Confirm the selection with Next

• In the following Private key protection window, enter the Password for the certificate and click Next

• On the Certificate Store page, make sure the Place all certificates in the following store option is selected and the certificate store is NTDS\Personal.
• Confirm this with Next

• Confirm the settings with a click on Finish

• A message should then appear that The import was successful. Click on OK

• Check the successful import. Expands the navigation area under NTDS\Personal > Certificates. Here you should see the imported certificate

Checking the connections

After installing a certificate, perform the following steps to verify that LDAPS and Signed LDAP (StartTLS) are working.

• Connect to the first DC
• Open a console there via Start > Run with the command mmc
• Start the Active Directory Administration Tool (Ldp.exe)
  • For non-domain controllers, the Remote server administration tools must be installed

• Click on Connection and then on Connect

• Enter the name of the LDAPS server (e.g. Domain Controller or LDAP Load Balancer) you want to test
• Change the port to 636 and check the box SSL to test LDAPS
• Start the test with OK

• Successful connection via LDAPS

• Change the port to 389 and uncheck the SSL box to test signed LDAP (StartTLS)
• Start the test with OK

• The LDAP connection is established

• Now click on Options > TLS > StartTLS to start Signed LDAP (StartTLS)

• Signed LDAP (StartTLS) could establish connection

Check without certificate

For test cases you can delete the imported certificate from the DC again or connect against a DC without certificate. There you can try to establish the same connections.

• LDAPS connection (Port 636 SSL) not successful

• LDAP connection (Port 389) still works

• But the switch to Signed LDAP (StartTLS) no longer works

Configure Citrix ADC

As mentioned above, the Citrix ADC with its DC connections may be affected by the upcoming change. Therefore here is a short instruction to change the required settings in the Citrix ADC.

Requirements

• The domain controller has bound a certificate (Server Authentication) for LDAPS or Signed LDAP (StartTLS) (e.g. Wildcard Certificate)
• If LDAPS is to be used, the affected firewalls must still be adapted (Port change from 389 to 636)

Authentication LDAPS Server

• Connect to the Management IP of the affected system

• Go in the navigantion panel to System > Authentication > Basic Policies > LDAP

• Switch to the Servers tab

• Open your existing LDAP server (here 10.0.0.4_LDAP)

• Change the Security Type to SSL, which directly change the Port to 636

• Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings

Another advantage of switching to LDAPS is that the user can change his password independently.

• Activate the item Allow Password Change under Other Settings

CLI Command

Example:

Authentication Signed LDAP (StartTLS) Server

• Connect to the Management IP of the affected system

• Go to System > Authentication > Basic Policies > LDAP in the Navigation Menu

• Switch to the Servers tab

• Open your existing LDAP server (here 10.0.0.4_LDAP)

If the firewalls are not to be adjusted, Signed LDAP (StartTLS) can also be used in the Citrix ADC.

• Change the Security Type to TLS, the Port remains at 389

• Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings

CLI Command

Example:

Load Balanced LDAPS Server

TCP or SSL_TCP can be selected as Load Balancing Protocol for LDAPS. SSL_TCP is recommended for higher compatibility (e.g. with Linux appliances) (SSL termination is done on the Citrix ADC).

For existing LDAP load balancing, the following must be recreated for LDAPS:

• Load Balancing Monitor
• Load Balancing Service Groups
• Load Balancing vServer

• Connect to the Management IP of the affected system

Configuration LDAPS Monitor

• Go to Traffic Management > Load Balancing > Monitors in the Navigation Menu

• Now click on Add, if you do not have an existing LDAPS monitor

• Configure the new Monitor
  • Name (Name of the Monitor, e.g. LDAPS)
  • Type (Type of the Monitor, LDAP)
  • Password (The password of the Service Account stored under Bind DN)
  • Base DN (Domain names in LDAP format, e.g. dc=deyda, dc=local)
  • Bind DN (Service Account for communication with the AD, e.g. service_ldap@deyda.local)
  • Filter (Restriction of search results, cn=builtin)
  • Secure (Activate the Secure checkbox)
• Confirm the entry with Create

CLI Command

Example:

Configuration of the LDAPS Service Group

• Go to Traffic Management > Load Balancing > Service Groups in the Navigation Menu

• Now click on Add to create a new Service Group for LDAPS

• Configure the new Service Group for LDAPS
  • Name (Name of the Service Group, e.g. LDAPS-svc_group)
  • Protocol (Protocol, SSL_TCP)
• Confirm the entry with OK

• Click on No Service Group Member in the following window to include the existing DCs for LDAPS

• Change the server methode to Server Based and click on Click to select if existing servers are to be included. If new servers are to be included, click Add

• Select the DCs that are configured for LDAPS and add them via Select

• Configure the required port (636) and confirm the entry with Create

• In the following Load Balancing Service Group window, select Monitors on the right side

• Now click on No Service Group to Monitor Binding to bind the previously created LDAPS Monitor

• Now select the Monitor (here LDAPS) and confirm this with Select

• Confirm the integration of the Monitor by clicking on Bind

• Confirm the entries with Done. The Effective State must be displayed as Up

CLI Command

Example:

Configuration of the LDAPS virtual Server

• Go to Traffic Management > Load Balancing > Virtual Servers in the Navigation Menu

• Now click on Add to create a new Virtual Server for LDAPS

• Configure the new Virtual Server for LDAPS
  • Name (Name of the Virtual Servers, e.g. LDAPS-LB)
  • Protocol (Protocol, SSL_TCP)
  • IP Address Type (IP Address)
  • IP Address (IP Address of the Virtual Server, e.g. 10.0.0.200)
  • Port (LDAPS Port, 636)
• Confirm the entries with OK

• Click No Load Balancing Virtual Server ServiceGroup Binding in the following window to bind the newly created Service Group

• Click on Click to select to get to the selection list of Service Groups

• Select the previously configured Service Group (LDAPS-svc_group) and add it via Select
• Click Continue after binding

• Click under Certificate on No Server Certificate

• Now select a suitable certificate for this load balancer. Select a Wildcard certificate of the local domain (Wildcard-deyda-local) and confirm with Select

• Now click on Continue and then on Done

CLI Command

Example:

Configuration of the LDAPS Authentication Server

• Go to System > Authentication > Basic Policies > LDAP in the Navigation Menu

• Switch to the Servers tab

• Open the existing LDAP server (here 10.0.0.4_LDAP) or create a new one

• Change the following settings of the existing Authentication Server
  • IP Address (IP Address of the LB Virtual Server, 10.0.0.200)
  • Security Type (Type of the connection, SSL)
  • Port (Port of the connection, 636)
    
    The port is automatically changed when SSL is selected under Security Type.

• Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings

Another advantage of switching to LDAPS is that the user can change his password independently.

• Activate the item Allow Password Change under Other Settings

CLI Command

Example:

Load Balanced Signed LDAP (StartTLS)

If the firewalls should not be changed, Signed LDAP (StartTLS) should be used in the Citrix ADC. Nothing need to be adjusted in the load balancing chain for this, because port 389 is still used.

• Connect to the Management IP of the affected system

• Go to System > Authentication > Basic Policies > LDAP in the Nagivation Menu

• Switch to the Servers tab

• Open the existing LDAP server (here 10.0.0.4_LDAP) or create a new one

• Change the Security Type to TLS, the port remain at 389

• Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings

CLI Command

Example: