Avoid Authentigeddon: Microsoft is going to break your LDAP bindings

For years, LDAP (Lightweight Directory Access Protocol) has been a standard to integrate systems and services with Active Directory. Firewalls, application delivery controllers, and the like use LDAP to give something of a single-sign-on experience where users authenticate with their domain credentials. 

Unfortunately, the default LDAP binding is transmitted in clear text and has been a security concern for quite a while. Using the clear text transmission opens you up for a man-in-the-middle attack. Its been a well-known vulnerability for a while. Microsoft issued an advisory about this issue in August 2019. 

As mentioned in that advisory, Microsoft is going to release a patch in March 2020 that will set the LDAP service to reject unsigned requests. If you already have an insecure LDAP configured, there is a very high likelihood this will break the LDAP connection(s). Any devices that are using LDAP for authentication will no longer be able to authenticate users. 

Microsoft recommends that you change your existing LDAP bindings to LDAPS. The real question is, how do I find all my LDAP bindings? 

There are a couple of different ways. My first thought would be to run a Wireshark session on your domain controllers with the following capture filter: tcp port ldap. 

This way you can run Wireshark for several hours/days without much of a footprint on your system.  

You could also search the domain controller event logs for event IDs 2886 and 2887. 

Or, Microsoft has a PowerShell script to find insecure bindings as well. 

Go here for more information about these options for finding your LDAP bindings from Microsoft. 

If you have questions about how to locate your LDAP bindings and change them to LDAPS, we can help you. Send us an email at info@mirazon.com or give us a call at 502-240-0404!