What impact will Microsoft ADV190023 have on SANtricity OS?
Applies to
- SANtricity
- LDAP
- Microsoft Security Advisory: ADV190023
Answer
Microsoft Security Advisory ADV190023 changes the behavior of two registry keys:
- Recommendation to set LDAP Server Signing Requirements to a registry setting of 2:
| Group Policy Setting | Registry Setting |
| Off | 0 |
| None | 1 (default) |
| Require Signing | 2 |
- Setting LDAP Server Signing Requirements to Require Signing may impact existing LDAP client configurations utilizing active-directory domain controllers.
- Set this to None (registry setting of 1) or Off (registry setting of 0) to prevent an impact to SANtricity OS.
- Note: Events 2886 and 2887 may be observed.
- Set this to Require Signing (registry setting of 2) only if using LDAPS or TLS.
- Note: Events 2888 and 2889 indicate LDAP is rejecting the SANtricity's LDAP client.
- Recommendation to set LDAP Enforce Channel Binding to a registry setting of 1:
| Group Policy Setting | Registry Setting |
| Never | 0 |
| When Supported | 1 |
| Always | 2 |
- Affects LDAP over TLS or LDAPS.
- Should have no impact on SANtricity's LDAP client.
- Note: Setting this option in the registry to Always (registry setting of 2) will prevent SANtricity's LDAP client from authenticating.
Additional Information