- ONTAP 9
- Clustered Data ONTAP 8
|WARNING: Regarding LdapEnforceChannelBinding, do not use enforce DWORD value 2 until support for 1136213 has been implemented.|
What impact will ADV190023 have on ONTAP?
These are the 2 expected changes:
- Change 1: Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
- Change 2: ‘Domain controller: LDAP server signing requirements’ set to ‘Require Signing’
Change 1:Use the LdapEnforceChannelBinding registry entry to make LDAP authentication over SSL/TLS more secure
- This option affects LDAP over TLS or LDAPS connections. The proposed Windows update for this setting should have no impact on ONTAP authentication.
- More information on LDAP over TLS concepts and Does ONTAP support port 636 for LDAPS (LDAP over SSL)
- Currently ONTAP does not support LDAP Channel Binding, this feature is being tracked here:
What will change?
- LDAP Channel Binding = 1 (after update)
AD - HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NTDS\Parameters
ADLDS - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<LDS instance name>\Parameters
value: 1 indicates enabled, when supported.
DWORD value: 0 indicates disabled. No channel binding validation is performed. This is the behavior of all servers that have not been updated.
DWORD value: 1 indicates enabled, when supported. All clients that are running on a version of Windows that has been updated to support channel binding tokens (CBT) must provide channel binding information to the server.
Clients that are running a version of Windows that has not been updated to support CBT do not have to do so.
This is an intermediate option that allows for application compatibility.
DWORD value: 2 indicates enabled, always. All clients must provide channel binding information. The server rejects authentication requests from clients that do not do so.
If the default setting of value 1 is used (enabled), ONTAP will continue to communicate with Domain Controllers without impact.
[ after March 10, 2020 MS update, Domain controller: LDAP server channel binding token requirements group policy should be present.]
Note: Manually setting DWORD value 2 (enabled, always) will prevent ONTAP from communicating with Domain Controllers over LDAP when LDAPS or TLS is enabled.
For ONTAP compatability, do not use enforce DWORD value 2 until support for 1136213 has been implemented.
- More information on where to set this value in the Windows registry, go here.
- If enforcement is set, issues like what is described in this KB below can occur:
Change 2: ‘Domain controller: LDAP server signing requirements’ set to ‘Require Signing’
- This option will impact any existing or new CIFS server deployments or LDAP client configuration that is utilizing active-directory domain controllers.
What will change?
- LDAP Server Integrity (signing) = enabled by default (after update)
- More information and how to enable via the GPO example in link, read this Microsoft Article: How to enable LDAP signing in Windows Server 2008
LDAP server signing requirements
This security setting determines whether the LDAP server requires signing to be negotiated with LDAP clients, as follows:
None: Data signing is not required in order to bind with the server. If the client requests data signing, the server supports it.
Require signature: Unless TLS\SSL is being used, the LDAP data signing option must be negotiated.
LDAP Signing Group Policy - Change requires No Downtime
After installing ADV190023 both settings (even None and Not Defined) will enforce Require Signature.
Only setting the registry value to 0 (OFF) will disable enforcement of Require Signature.
Note (Microsoft is not recommending this):
This means that value of "0" in registry means "OFF" and this also means that the update will not change the setting and not enforce Require Signing.
DC: HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Parameters --> LDAPServerIntegrity = 0
How to set ONTAP to use LDAP Signing or Sealing for change 2
- See the following KB for setting up LDAP Signing or Sealing: How to set ONTAP to use LDAP Signing or Sealing for CIFS/NFS
Frequently Asked Questions
Q: I had an issue with the steps documented in this article? What do I do?
- There are a lot of non-NetApp related information and where to make these changes. These were taken from these Microsoft related links from time of publishing, the information we have printed in this KB could have changed with what was previously noted. Review these links for accuracy of the steps outlined from a non-NetApp perspective:
Q: LDAP Channel Binding value is supposed to be set to the default value of 1 after patch, do we have to make any changes in ONTAP?
- As long as the value is kept at 1 and not set to 2, then LDAP channel tokens will not be required and ONTAP will continue to communicate with LDAP.
- Once 1136213 is implemented, then ONTAP can officially support LDAP channel binding tokens.
Q: LDAP Server Integrity (signing) will be set to enabled after patch, do we have to make any changes in ONTAP?
- Yes. Set cifs server and\or ldap client to use ldap sign or seal. The information above has sample workflows on how to set these options and how to verify. They can be done non-disruptively and are recommended to be set prior to updating Microsoft changes. If you are currently utilizing LDAP Start TLS or LDAPS, no changes need to be done to your vserver configuration.
Q: I am already using LDAP StartTLS in my vservers, do we have to make any changes in ONTAP in regard to LDAP Server Integrity (signing)?
- No. That requirement is only for non TLS\SSL connections.
Q: I am already using LDAPS in my vservers, do we have to make any changes in ONTAP in regard to LDAP Server Integrity (signing)?
- No. That requirement is only for non TLS\SSL connections. LDAPS (LDAP over SSL) support was first brought out in ONTAP 9.5 releases.
Q: I am on an un-supported version of ONTAP. What options do I have?
- Review this documentation:Data ONTAP 8 does not support LDAP signing and work with Microsoft to remove security settings to enable legacy clients.
- Important to also consider upgrading to a supported ONTAP version.
Q: I am on 7mode ONTAP, do I need to make any changes?
- This article is specifically only for ONTAP (Clustered Data ONTAP). However, regarding the 2 changes ADV190023 will make, in terms of 7mode:
- Change 1: For LDAP Channel Binding support, there are no plans to implement this feature for 7mode. (If the default setting of value 1 is used (enabled), 7mode ONTAP will also continue to communicate with Domain Controllers without impact.)
- Change 2: LDAP signing is automatically enabled and no changes are required on 7mode for LDAP Server Integrity (signing) settings.
Q: After Microsoft update, we want to revert back LDAP Server Integrity (signing) to disabled, How do we do that?
- The information above documents a method via registry to disable LDAPServerIntegrity. This information was taken directly from this Microsoft article: LDAP Channel Binding and LDAP Signing Requirements- March 2020 update final release
Q:What ONTAP commands will be impacted?
- Commands like the following use LDAP and will see impact as a result of this update: (not an exhaustive list)
::> vserver cifs create|delete|modify
::> vserver services name-service ldap create
::> vserver services access-check authentication show-creds
::> vserver active-directory create|delete|modify
::> vserver cifs group-policy update
::> secd authentication get-dc-info
::> vserver cifs domain discovered-servers reset-servers
::> secd connections test
Q: Microsoft states to set clients to this LDAP signing required...what is the equivalent value in ONTAP? Does any windows clients need to be changed to still with ONTAP?
- The settings and commands from the KB above are how you set these values in ONTAP.
Q: Can I make the LDAP sign or seal changes now and not impact CIFS operations?
- Setting ONTAP LDAP client session security to either "sign" or "seal" using the following commands:
::> vserver services name-service ldap client modify -session-security
::> vserver cifs security modify -session-security-for-ad-ldap
- Setting this option is expected to be a non-disruptive operation.
- Existing cifs\nfs connections will not be impacted by this change. Connected sessions are cached and do not require LDAP once established.
- On next LDAP bind, ONTAP will use either signing or sealing. Expectation is that setting option should be non-disruptive to LDAP operations.
- These can be set well in advance of the LDAP changes for require signing.
- However, as with any potential global security change in your LDAP environment, proper testing and validation is recommended as customer environments may vary.
Q: Where can I get more information on this, or another source I can read to help me understand the implications better?
- Our NetApp TME team has published a blog post on this, you can read that here: Microsoft, ONTAP, and the LDAP Channel Binding Apocalypse
- Subscribe to that post to get updates on the topic.
Q: What is the minimum change I need to do in ONTAP to prepare for ADV190023 and still be compliant?
- If the expected defaults are deployed after the patch, Setting ONTAP LDAP client session security to "sign" using the following commands:
::> vserver services name-service ldap client modify -session-security sign
::> vserver cifs security modify -session-security-for-ad-ldap sign
- Depending on whether you are setting this for a CIFS server, or LDAP client:
- Minimum requirement is signing. Sealing, LDAPS and StartTLS all exceed the minimum requirement and may require additional configuration steps (ie) self-signed CA certs.
Q: -session-security output for my vserver is showing ‘ – ‘ or it is blank, what does that mean?
- Dash or blank defaults to value: none. In some instances, vservers that have been existent since pre 9 where those options did not exist yet, may show as these values post an upgrade. Proceed to follow the recommendations in this KB to be compliant with the patch.
Q: When LDAP sealing is used, LDAP auditing is reporting eventide 2889s for my SVMs.
- This is a false positive. ONTAP is conforming to LDAP signing and sealing.
- session-security-for-ad-ldap seal results in ONTAP being flagged with eventID 2889 LDAP audit
- 1300585 Event ID 2889 generated on Windows Domain Controller when LDAP sealing is used
- Microsoft's explanation of this logging anomaly
Q: What is NetApp’s recommendation for LDAP signing and sealing going forward?
- Recommendation is to utilize LDAP signing.
Q: I read all the links in this KB and I am still confused what the differences between LDAPS, signing and sealing, startTLS are.
Read over some of the links below to help explain the differences:
LDAP signing and sealing (over port 389) ONTAP 9.0+
Signing confirms the integrity of the LDAP payload data using secret key technology. Sealing encrypts the LDAP payload data to avoid transmitting sensitive information in clear text. An LDAP Security Level option indicates whether the LDAP traffic needs to be signed, signed and sealed, or neither. The default is none. (more info: LDAP signing and sealing concepts and NFS Guide)
Requires Self-signed root CA certificates
- Please contact NetApp Technical Support to how to confirm.
Q: Is there a chart that helps explains all the options and expected behavior prior to support of LDAP Channel Binding?
- Yes, please refer to chart below on expected behavior for LDAP operations:
|Label||Corresponding cifs security option|
|LDAP Settings||w/ Channel Binding Enforced||w/o Channel Binding Enforced|
|default settings, new SVM||succeeds||succeeds|
|Signing + StartTLS||fails||succeeds|
|Signing + LDAPS||fails||succeeds|
|Sealing + StartTLS||fails||succeeds|
|Sealing + LDAPS||fails||succeeds|
Q: I am reading this document because of an Active IQ System Risk Detection.
- For customers who have enabled AutoSupport™ on their storage systems the Active IQ Portal provides detailed System Risk reports at the customer and site and system levels. The reports show systems that have specific risks as well as severity levels and mitigation action plans. You may be reading this article as a result of one of those alerts. If unsecured LDAP configuration is detected on CIFS servers or LDAP client configurations on your system, read this article in its entirety for best practice recommendations on how to mitigate issues as a result of applying ADV190023.