Skip to main content
NetApp Knowledge Base

Microsoft Security Advisory: ADV190023 impact on NetApp appliance running CIFS\NFS utilizing Microsoft Active Directory LDAP servers

Views:
7,597
Visibility:
Public
Votes:
4
Category:
ontap-9
Specialty:
nas
Last Updated:

 

Applies to

  • ONTAP 9
  • Data ONTAP 8
  • CIFS
  • NFS
WARNING: Regarding LdapEnforceChannelBinding, do not use enforce DWORD value 2 until support for 1136213 has been implemented.   

Answer

What impact will ADV190023 have on ONTAP?

These are the 2 expected changes: 

  • Change 1: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure 
  • Change 2:  ‘Domain controller: LDAP server signing requirements’ set to ‘Require Signing’ 
Change 1:Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure  

What will change?  

  • LDAP Channel Binding = 1 (after update)  

AD - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters   

ADLDS - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters   

value: 1 indicates enabled, when supported.   

  • DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.  

  • DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server. 
    Clients that are running a version of Windows that has not been updated to support CBT do not have to do so. 
    This is an intermediate option that allows for application compatibility.  

  • DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.  

  If the default setting of value 1 is used (enabled), ONTAP will continue to communicate with Domain Controllers without impact.   

[ after March 10, 2020 MS update, Domain controller: LDAP server channel binding token requirements group policy should be present.]

Note: Manually setting DWORD value 2 (enabled, always) will prevent ONTAP from communicating with Domain Controllers over LDAP  when LDAPS or TLS is enabled. 

For ONTAP compatability, do not use enforce DWORD value 2 until support for 1136213 has been implemented.   

Change 2: ‘Domain controller: LDAP server signing requirements’ set to ‘Require Signing’  
  • This option will impact any existing or new CIFS server deployments or LDAP client configuration that is utilizing active-directory domain controllers.   

  What will change?  

LDAP server signing requirements  

 This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:  

  •  None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.  

  • Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.  

LDAP Signing Group Policy Change requires No Downtime   

After installing ADV190023 both settings (even None and Not Defined) will enforce Require Signature.   

Only setting the registry value to 0 (OFF) will disable enforcement of Require Signature.  

  Note (Microsoft is not recommending this): 

This means that value of "0" in registry means "OFF" and this also means that the update will not change the setting and not enforce Require Signing.   

DC: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters  --> LDAPServerIntegrity = 0  

How to set ONTAP to use LDAP Signing or Sealing for change 2
Frequently Asked Questions
Q: I had an issue with the steps documented in this article? What do I do?  
Q: LDAP Channel Binding value is supposed to be set to the default value of 1 after patch, do we have to make any changes in ONTAP?
  • As long as the value is kept at 1 and not set to 2, then LDAP channel tokens will not be required and ONTAP will continue to communicate with LDAP. 
  • Once 1136213 is implemented, then ONTAP can officially support LDAP channel binding tokens.   
Q: LDAP Server Integrity (signing) will be set to enabled after patch, do we have to make any changes in ONTAP?  
  • Yes. Set cifs server and\or ldap client to use ldap sign or seal. The information above has sample workflows on how to set these options and how to verify. They can be done non-disruptively and are recommended to be set prior to updating Microsoft changes. If you are currently utilizing LDAP Start TLS or LDAPS, no changes need to be done to your vserver configuration.
Q: I am already using LDAP StartTLS in my vservers, do we have to make any changes in ONTAP in regard to LDAP Server Integrity (signing)?
  • No. That requirement is only for non TLS\SSL connections.
Q: I am already using LDAPS in my vservers, do we have to make any changes in ONTAP in regard to LDAP Server Integrity (signing)?
Q: I am on an un-supported version of ONTAP. What options do I have?
  • Review this documentation:Data ONTAP 8 does not support LDAP signing and work with Microsoft to remove security settings to enable legacy clients.
    • Important to also consider upgrading to a supported ONTAP version.
Q: I am on 7mode ONTAP, do I need to make any changes?  
  • This article is specifically only for ONTAP (Clustered Data ONTAP). However, regarding the 2 changes ADV190023 will make, in terms of 7mode:  
    • Change 1: For LDAP Channel Binding support, there are no plans to implement this feature for 7mode. (If the default setting of value 1 is used (enabled), 7mode ONTAP will also continue to communicate with Domain Controllers without impact.) 
    • Change 2: LDAP signing is automatically enabled and no changes are required on 7mode for LDAP Server Integrity (signing) settings.
Q: After Microsoft update, we want to revert back LDAP Server Integrity (signing) to disabled, How do we do that?
Q:What ONTAP commands will be impacted?
  • Commands like the following use LDAP and will see impact as a result of this update: (not an exhaustive list

::> vserver cifs create|delete|modify
::> vserver services name-service ldap create
::> vserver services access-check authentication show-creds  
::> vserver active-directory create|delete|modify
::> vserver cifs group-policy update
::> secd authentication get-dc-info

 

Q: Microsoft states to set clients to this LDAP signing required...what is the equivalent value in ONTAP? Does any windows clients need to be changed to still with ONTAP?
  • The settings and commands from the KB above are how you set these values in ONTAP.
Q: Can I make the LDAP sign or seal changes now and not impact CIFS operations?
  • Setting ONTAP LDAP client session security to either "sign" or "seal" using the following commands: 
  1. ::> vserver services name-service ldap client modify -session-security
  2. ::> vserver cifs security modify -session-security-for-ad-ldap 
    • Setting this option is expected to be a non-disruptive operation. 
  • Existing cifs\nfs connections will not be impacted by this change. Connected sessions are cached and do not require LDAP once established. 
  • On next LDAP bind, ONTAP will use either signing or sealing. Expectation is that setting option should be non-disruptive to LDAP operations. 
  • These can be set well in advance of the LDAP changes for require signing. 
    • However, as with any potential global security change in your LDAP environment, proper testing and validation is recommended as customer environments may vary.
Q: Where can I get more information on this, or another source I can read to help me understand the implications better?
Q: What is the minimum change I need to do in ONTAP to prepare for ADV190023 and still be compliant?
  • If the expected defaults are deployed after the patch, Setting ONTAP LDAP client session security to "sign" using the following commands: 

::> vserver services name-service ldap client modify -session-security sign 
::> vserver cifs security modify -session-security-for-ad-ldap sign 

  • Depending on whether you are setting this for a CIFS server, or LDAP client:  
    • Minimum requirement is signing. Sealing, LDAPS and StartTLS all exceed the minimum requirement and may require additional configuration steps (ie) self-signed CA certs. 
Q: -session-security output for my vserver is showing ‘ – ‘ or it is blankwhat does that mean?
  • Dash or blank defaults to value: none. In some instances, vservers that have been existent since pre 9 where those options did not exist yet, may show as these values post an upgrade. Proceed to follow the recommendations in this KB to be compliant with the patch.
Q: When LDAP sealing is used, LDAP auditing is reporting eventide 2889s for my SVMs.
Q: What is NetApp’s recommendation for LDAP signing and sealing going forward?
  • Recommendation is to utilize LDAP signing. 
Q: I read all the links in this KB and I am still confused what the differences between LDAPS, signing and sealing, startTLS are.

Read over some of the links below to help explain the differences: 

  • LDAP signing and sealing (over port 389) ONTAP 9.0+ 

    • Signing confirms the integrity of the LDAP payload data using secret key technology. Sealing encrypts the LDAP payload data to avoid transmitting sensitive information in clear text. An LDAP Security Level option indicates whether the LDAP traffic needs to be signed, signed and sealed, or neither. The default is none. (more info: LDAP signing and sealing concepts and NFS Guide

  • Requires Self-signed root CA certificates 

Q: How can I confirm that LDAP Signing or Sealing is being used?
  • Please contact NetApp Technical Support to how to confirm.
Q: Is there a chart that helps explains all the options and expected behavior prior to support of LDAP Channel Binding?
  • Yes, please refer to chart below on expected behavior for LDAP operations:
Label Corresponding cifs security option
Signing session-security-for-ad-ldap sign
Sealing session-security-for-ad-ldap seal
StartTLS use-start-tls-for-ad-ldap true
LDAPS use-ldaps-for-ad-ldap true
 
LDAP Settings w/ Channel Binding Enforced w/o Channel Binding Enforced
default settings, new SVM succeeds succeeds
Signing only succeeds succeeds
Sealing only succeeds succeeds
StartTLS only fails succeeds
LDAPS only fails succeeds
Signing + StartTLS fails succeeds
Signing + LDAPS fails succeeds
Sealing + StartTLS fails succeeds
Sealing + LDAPS fails succeeds

 

Q: I am reading this document because of an Active IQ System Risk Detection.
  • For customers who have enabled AutoSupport™ on their storage systems the Active IQ Portal provides detailed System Risk reports at the customer and site and system levels. The reports show systems that have specific risks as well as severity levels and mitigation action plans. You may be reading this article as a result of one of those alerts. If unsecured LDAP configuration is detected on CIFS servers or LDAP client configurations on your system, read this article in its entirety for best practice recommendations on how to mitigate issues as a result of applying ADV190023.