[MacTUG] An interesting read....

[Stephen Markan]

Belows is a snipper from a conversation on Windows-HIED mailing list:

According to Microsoft Security Advisory ADV190023<https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023> the March 2020 security update will enable LDAP channel binding and LDAP signing on Active Directory servers by default.  It is unclear from the documentation if this can be undone or postponed.  Following guidance in Identifying Clear Text LDAP binds to your DC's<https://docs.microsoft.com/en-us/archive/blogs/russellt/identifying-clear-text-ldap-binds-to-your-dcs> we have found that all of our domain-joined Macs are encrypting but not signing their connections to AD LDAP.  Testing so far has found that the only way to resolve this is to enforce SSL using the dsconfigad -packetencrypt ssl command along with importing the trusted root CA for our domain controllers.

Has anyone else looked at this and found alternative solutions?  According the Apple support article Configure domain access in Directory Utility on Mac<https://support.apple.com/guide/directory-utility/configure-domain-access-diru11f4f748/mac> it should not be necessary to enforce SSL, but we have not found any alternative settings that work.

FYI we also have found and are investigating remediation for issues with various NetApp NAS devices and Linux machines which are behaving similarly.

Interested in how other organizations are approaching this or if this even on your radar (it wasn't on ours until last week).

Regards,

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.uwaterloo.ca/mailman/private/mactug/attachments/20200207/b3f2661e/attachment.html>