How can SolidFire/HCI be impacted by Microsoft Security Advisory ADV190023?
Applies to
- SolidFire/HCI storage clusters
- Authentication with LDAP on the cluster GUI
- Microsoft Domain Controllers
Answer
Customers will no longer be able to login with their domain user if LDAPS is not in use on the cluster GUI. Ensure LDAPS is enabled on each cluster connecting to related Microsoft Domain Controllers for authentication.
To verify:
- Open the cluster GUI in the browser: https://<MVIP>:443
- Go to Cluster > LDAP
- Go to LDAP servers
- Ensure the Use LDAPS Protocol box is checked
- Press Save Changes if required (the Search Bind Password will need to be entered under General Settings)
Additional Information
Microsoft has published ADV190023 where a security vulnerability was found on LDAP. As a workaround they recommend to enable LDAP channel binding and LDAP signing.
- Microsoft Security Advisory: https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023
- Microsoft workaround on the domain controllers: https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows