ADV190023 - Enable LDAPS in Windows DC and Citrix ADC

By Manuel Winkel posted 16 days ago

  

Important Info:
The scheduled update (ADV190023), regarding LDAP Signing and Channel Binding for new and existing domain controllers, scheduled for March 10, 2020, has been postponed to the second half of calendar year 2020. The March 2020 update will only provide additional auditing capabilities to identify and configure LDAP systems before they become inaccessible with the later update.


The later update results in no more connections to the domain controller, via unsigned / Clear Text LDAP on port 389.
Then it is only possible to use either LDAPS via port 636 or Signed LDAP (StartTLS) on port 389.


Affected Domain Controller Versions

  • Windows Server 2019
  • Windows Server 2016
  • Windows Server 2012 R2
  • Windows Server 2012
  • Windows Server 2008 R2 SP 1
  • Windows Server 2008 SP 2


Affected LDAP Clients

The topic concerns not only the Microsoft environment, but all systems that serve as LDAP client and send LDAP requests. The following is a small list of systems that occurred to me:

  • Citrix Gateway
  • Citrix AAA
  • Citrix LoadBalancer for LDAP
  • Citrix Endpoint Management
  • VPN (e.g. Sophos)
  • IGEL UMS Console
  • Ticket Systems (e.g. Remedy or Helpdesk)
  • ERP /CRM Systems (e.g. SAP)
  • Database Systems (e.g. Oracle)
  • Webserver (e.g. TomCat or Apache)
  • Security Components (Firewall or Proxy)
  • Backup / Storage Repository

Some manufacturers, e.g. IGEL, have already reacted and it is now possible to switch the connection to LDAPS via the GUI of the UMS console.

Igel UMS Console LDAPS


How can I check if unsigned LDAP is used?

The first step to determine if the environment is affected by the transition, is to scan the event logs on the Active Directory server for event IDs 2886, 2887 and 2888. After installing the March updates, the event IDs 3039, 3040 and 3041 still point to unsecured LDAP traffic. All event IDs can be found under Applications and Services Logs / Directory Service.

This is checked manually on all DCs or by the script entered below, which performs the manual steps for you.


LDAP signing events

Following are the event logs regarding LDAP signing.

  Description Trigger
2886 The security of these domain controllers can be significantly improved by configuring the server to enforce validation of LDAP signing. Triggered every 24 hours, on startup or start of service if the Group Policy is set to None. Minimum Logging Level: 0 or higher
2887 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered every 24 hours when Group Policy is set to None and at least one unprotected bind was completed. Minimum Logging Level: 0 or higher
2888 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered every 24 hours when Group Policy is set to Require Signing and at least one unprotected bind was rejected. Minimum Logging Level: 0 or higher
2889 The security of these domain controllers can be improved by configuring them to reject simple LDAP bind requests and other bind requests that do not include LDAP signing. Triggered when a client does not use signing for binds on sessions on port 389. Minimum Logging Level: 2 or higher


If event 2886 is present on a domain controller, this indicates that signed LDAP is not forced by the DCs and it is possible to perform a simple (Clear Text) LDAP binding over an unencrypted connection. The security option "Domain controller: LDAP server signing requirements" is then configured to "None".

Event ID 2886


The next checkpoint is event 2887, this event ID occurs every 24 hours and reports how many unsigned and clear text connections to the DC have occurred.

Event ID 2887


If the Active Directory servers are configured to reject unsigned or simple LDAP connections over a non-SSL/TLS connection, the Active Directory servers log these attempts and write a summary to the event log every 24 hours under event ID 2888.


Changes with March Update


Important:

The March 10, 2020 updates do not change the default policies for LDAP signing or LDAP channel binding on new or existing Active Directory domain controllers.

It only adds the following functions:

  • New events are logged in the Event Log in combination with the LDAP Channel Bindings.
  • A new GPO setting "Domain controller: LDAP server channel binding token requirements" to configure LDAP channel binding on supported devices. Possible settings are None, When Supported or Always. Event ID 3089 is only created if this setting is not set to None.


LDAP Channel Binding events

Following are the new events that will be released with the March update.

Event Description Trigger
3039 The following client performed an LDAP bind over SSL/TLS and failed the LDAP channel binding token validation. Triggered when a client attempts to bind without valid CBT. Minimum logging level: 2

Note Event can only be generated when Channel Binding is set to When Supported or Always
3040 During the previous 24 hour period, # of unprotected LDAPs binds were performed. Triggered every 24 hours when CBT Group Policy is set to Never and at least one unprotected bind was completed. Minimum logging level: 0
3041 The security of this directory server can be significantly improved by configuring the server to enforce validation of LDAP channel binding tokens. Triggered every 24 hours, on startup or start of service if the CBT Group Policy is set to Never. Minimum logging level: 0


Activation LDAP Event Diagnostic Logging

With the event IDs mentioned above we only get the information that we still receive Clear Text LDAP requests to the domain controller, but not who is sending them. To change this we can increase the log level on our domain controller to see who requested the Clear Text LDAP connection (Event ID 2889).


Enable LDAP Event Diagnostic Logging

Copy the bottom line into a REG file and execute it on the DC. No restart is required.

# Enable Simple LDAP Bind Logging
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 2

16 LDAP Interface Events


Disable LDAP Event Diagnostic Logging

Copy the bottom line into a REG file and execute it on the DC to disable it again.

# Disable Simple LDAP Bind Logging.
Reg Add HKLM\SYSTEM\CurrentControlSet\Services\NTDS\Diagnostics /v "16 LDAP Interface Events" /t REG_DWORD /d 0

Note:
It may be necessary to replace the double quotation marks after copying and pasting.

After activation of the extended log level, an event with the ID 2889 is created for each access via Clear Text LDAP (under Applications and Services Logs / Directory Service). These events contain which IP addresses and which user accounts have established this connection.

Event ID 2889


PowerShell script for testing the DCs

To make it easier to check the environment, I have adapted the following PowerShell scripts by Arne Tiedemann to the Microsoft March Updates.

  • Connect to a domain controller
  • Go to this link and download the two scripts
    (Further instructions are stored in the README.md file)
  • Run the script ActiveDirectory-DCLDAPEvents.ps1 to search your domain controllers for event ID 2887 & 3040

ActiveDirectory-DCLDAPEvents.ps1

  • The script then create a CSV file (InsecureLDAPCount.csv) with the displayed information
InsecureLDAPCount


Only the event entries are counted and you will not get any further information from this file!

To get more information, like user account or IP address of the LDAP client, you have to execute the script ActiveDirectory-LDAPInterfaceEventLogging.ps1

  • Start the script on the domain controller


The script will detect if you have run one of the two available scripts in the last 15 minutes and would not search all DCs for the known events again.

LDAPBinds


It uses the created InsecureLDAPCount.csv file to identify the affected DCs and, based on the list, starts the increased log level for 30 minutes on the DCs. As a result, you will get a detailed list for each affected DC with the following information.

DomainController - LDAP Client IP-Address - Port - User - BindType



If the increased log level should not run for 30 minutes, the time can be adjusted with the following parameters.

.\ActiveDirectory-LDAPInterfaceEventLogging.ps1 -Runtime "Minutes"

Action plan for ADV190023

  1. Install the March Windows Updates
  2. Check environment automatically via script or with the following manual steps
    • Configure LDAP Event Diagnostic Logging to 2 or higher
    • Monitor the event log under Applications and Services Logs / Directory Service on all domain controllers
      • LDAP Signing failure event 2887
      • LDAP Channel Binding failure event 3040

        Note:
        Event 3039 can only be generated if Channel Binding is set to When Supported or Always.

  3. Identify the devices for each IP address named at Event 2887 (unsigned LDAP) or Event 3039 (no LDAP Channel Binding)
  4. Enable LDAPS on domain controller (Signed LDAP is always accepted and should not be set to Required in the phase)
  5. Enable LDAPS or Signed LDAP (StartTLS) on the mentioned devices

Security Policy Setting Require signing


Activation LDAPS & Signed LDAP (StartTLS) on DC

Short guide to enable LDAPS & Signed LDAP (StartTLS) on your domain controllers.


Method 1

The first method is the simplest:
The DC automatically accept LDAPS & Signed LDAP (StartTLS) if a Microsoft Enterprise Root CA is installed on a domain controller. If the Active Directory Certificate Services (AD CS) role is installed and the type of CA setup on the DC is specified as "Enterprise", all DCs in the overall structure are automatically configured to accept both.

Note:
Although it's generally a good thing to have a CA in the organization, placement on the DC is not a good idea overall.


Method 2

In most cases a certificate is used where the root CA is not located on a DC. So the second method is to simply put a certificate (Server Authentication enabled) on each DC.


Important
:
Remember that regardless of which CA is used to obtain this certificate, both the DCs and the systems running the LDAP client application must trust this certificate.


Note
:
For a Windows Server 2008 / R2 / 2012 DC, the certificate must be imported into the AD DS Personal Store (NTDS\Personal).
For older servers (older than 2003 R2) the certificate must be imported into the Computer Personal Store.
For Windows Server 2016 & 2019 both methods work.


Requirements

  • Installed & Activated CA


Publication of a compatible Certificate Template

We need a certificate template that supports Server Authentication and has an Exportable private key.

  • Connect to your server that has the AD CA role installed
  • Open the Certificate Console via Start > Run and the command certsrv.msc

certsrv.msc

  • Expand the display, by double clicking on the name of your CA
  • Now click with the right mouse button on Certificate Templates and then on Manage

Certificate Template Manage

  • In the Certificate Template Console, right-click on Web Server and select Duplicate Template

It is not necessary to use the Web Server template. You can create your own template or use one of the other existing templates that have server authentication as their purpose.

Certificate Template Web Server Duplicate Template

  • In the window that appear, the duplicated template is edited. Change the following under General
    • Change the Template display name
    • Change the Validity period and Renewal period to your security parameters

Duplicate Template General Template display name Validity period Renewal period

  • Under Request Handling click on Allow private key to be exported

Duplicate Template Request Handling Allow private key to be exported

  • Under Subject Name select DNS name and Service principal Name (SPN)

Duplicate Template Subject Name DNS name Service principal name (SPN)


Note
:
If the certificate template is to be used for wildcards, Supply in the request must be selected here

Supply in the request Certificate Template

  • Under Security click Add

Duplicate Template Security

  • In the following window click on Locations…

Select Users, Computers, Service Accounts or Groups

  • Select Computers and confirm with OK

Object Types Computers

  • Enter your DCs and confirm this with Check Names and OK

Select this object type from this location

  • Under Security click on your newly added DCs and extend the Allow permissions with Read, Write & Enroll


  • Under Extensions, check again that Server Authentication is also selected as the Application Policies. Confirm the entries with OK.

Duplicate Template Extensions Application Policies Server Authentication

  • Close the Certificate Template Console
  • Go back to the Certificate Console and right click in the details area of Certificate Templates
  • Click here on New and then on Certificate Template to be Issue

Certificate Console New Certificate Template to Issue

  • In the window Enable Certificate Templates select the newly created template (here Server Authentication) and click on OK

Certificate Console Enable Certificate Templates Server Authentication


Requesting a Server Authentication Certificate

For LDAPS we can use either a SAN certificate or a Wildcard certificate. Both types of certificates must be created with Server Authentication permission. Follow these instruction for either SAN certificate or Wildcard certificate.


Request SAN Certificate

  • Connect to the first DC
  • Open a console there via Start > Run with the command mmc

mmc

  • In the MMC console click on File and on Add/Remove Snap-in...

mmc Add/Remove Snap-in
  • In the following window select Certificates on the left side and click on Add
Add or Remove Snap-ins Certificates

  • In the Certificate Snap-in window, select Computer account and click Next
Certificates snap-in Computer account
  • Under Select Computer, select Local Computer and click Finish
  • Extend the console to the folder Certificates (Local Computer) > Personal > Certificates
  • Right-click on the folder and click on All Tasks and Request New Certificate

Certificates (Local Computer) Personal Certificates All Task Request New Certificate

  • Click the first two windows with Next through
  • In the window Request Certificates select your newly created certificate template (here Server Authentication)
  • Click on Enroll

Certificate Enrollment Request Certificates

  • If the creation was successful, this is displayed under Status. Confirm this with Finish

Certificate Enrollment Certificate Installation Results

  • Double-click the new certificate in the results area to open the Certificate Properties dialog box

Certificate Server Authentication

  • Click on the Details tab and select the Enhanced Key Usage option. Check that Server Authentication (1.3.6.1.5.5.7.3.1) has been added

Certificate Enhanced Key Usage



Perform these steps for each domain controller.

Request Wildcard Certificate

If a load balancer (e.g. Citrix ADC) is used in front of the domain controllers, not every DC has to receive its own certificate. Only the load balancer needs a certificate (e.g. Wildcard certificate), which is then imported and accepted on all DCs.

ldaps Load Balancer AD DC

  • Connect to the first DC
  • Open a console there via Start > Run with the command mmc

mmc

  • In the MMC console click on File and on Add/Remove Snap-in...

mmc Add/Remove Snap-in
  • In the following window select Certificates on the left side and click on Add
Add or Remove Snap-ins Certificates

  • In the Certificate Snap-in window, select Computer account and click Next

Certificates snap-in Computer account

  • Under Select Computer, select Local Computer and click Finish
  • Extend the console to the folder Certificates (Local Computer) > Personal > Certificates
  • Right-click on the folder and click on All Tasks and Request New Certificate

Certificates (Local Computer) Personal Certificates All Task Request New Certificate

  • Click the first two windows with Next through
  • In the window Request Certificates select your newly created certificate template (here Server Authentication)
  • Click on the warning notice More information is required to enroll for this certificate...

    Note:
    If you do not see this warning, the certificate template is not defined with Supply in the request under Subject Name in the template
Certificate Enrollment Request Certificates More information is required to enroll for this certificate. Click here to configure settings.

  • In the Certificate Properties window under the Subject tab enter the following
    • Type (Common name)
    • Value (Your domain for the Wildcard, e.g. *.deyda.local)
  • Click on Add

Certificate Properties Subject CN

  • In the tab General enter the display name of the certificate under Friendly name (e.g. *.deyda.local)

Certificate Properties General

  • Check in the tab Extensions that both Digital signature & Key encipherment is selected

Certificate Properties Extensions

  • Check in the Private Key tab that Make private key exportable is selected and confirm this with OK

Certificate Properties Prvate Key
  • When all requirements are filled out click on Enroll
Certificate Enrollment Request Certificate

  • If the creation was successful, this is displayed under Status. Confirm this with Finish

Certificate Enrollment Certificate Installation Results

  • Double-click the new certificate in the results area to open the Certificate Properties dialog box


  • Click on the Details tab and select the Enhanced Key Usage option. Check that Server Authentication (1.3.6.1.5.5.7.3.1) has been added


This only need to be done once for all DCs.

Export the LDAPS certificate

The following steps show how to export an LDAPS-enabled certificate from the local certificate store of a domain controller. The following steps apply to Wildcard and SAN certificates.

  • Connect to the first DC
  • Open a console there via Start > Run with the command mmc

mmc

  • In the MMC console click on File and on Add/Remove Snap-in...

mmc Add/Remove Snap-in
  • In the following window select Certificates on the left side and click on Add
Add or Remove Snap-ins Certificates

  • In the Certificate Snap-in window, select Computer account and click Next

Certificates snap-in Computer account

  • Under Select Computer, select Local Computer and click Finish
  • Extend the console to the folder Certificates (Local Computer) > Personal > Certificates
  • Click with the right mouse button on the previously created certificate (here DC01.deyda.net, you can recognize it by the column Certificate Template) and click on All Tasks and Export

Certificates All Tasks Export

  • Click Next on the Welcome Screen of the Certificate Export Wizard
  • In the Export Private Key window, select Yes, export private key and confirm with Next
    • If it is not possible to export the private key, then the wrong certificate template was selected or it was created incorrectly

Certificate Export Wizard Export Private Key

  • In the Export File Format window, Export all extended properties should be selected. Confirm this with Continue.
  • The other selection options are optional.

Certificate Export Wizard Export File Format

  • On the Security window, enter a Password to use for importing the certificate. Then click Next

Certificate Export Wizard Security Password

  • Select a path in the File to Export window via Browse and define a file name. Then click on Next

Certificate Export Wizard File to Export pfx

  • Confirm the settings by clicking on Finish

Certificate Export Wizard Completing

  • This is followed by a pop-up message indicating that The export was successful. Click OK.

Certificate Export Wizard The export was successful
Export File pfx


Import for use with AD DS

The certificate must now be imported into the certificate store of the Active Directory Domain Services (NTDS\Personal). This step must be performed for each domain controller that is to provide LDAPS. These certificates must be manually renewed when they expire. The following steps apply to Wildcard and SAN certificates.

Note:
The following steps must be performed on Windows Server 2008 / R2 / 2012 DCs.
For Windows Server 2016 & 2019 the following steps are optional.

  • Connect to the first DC
  • Open a console there via Start > Run with the command mmc
mmc

  • In the MMC console click on File and on Add/Remove Snap-in...

mmc Add/Remove Snap-in
  • In the following window select Certificates on the left side and click on Add
Add or Remove Snap-ins Certificates

  • In the Certificates snap-in window, select Service account and click Next

Certificates snap-in Service account

  • Under Select Computer, select Local Computer and click Next
  • Select Active Directory Domain Services and confirm with Finish

Service Account Active Directory Domain Services

  • Expand the console to the folder Certificates - Service (Active Directory Domain Services) > NTDS\Personal
  • Right click on the NTDS\Personal folder and click on All Tasks and Import

NTDS\Personal All Tasks Import

  • At the Certificate Import Wizard window click Next
  • Click the Browse button in the File to Import window and then browse to the previously exported certificate file
    • Ensure that Personal Information Exchange (pfx, .p12) is selected as the file type

Personal Information Exchange (pfx,.p12)
  • Confirm the selection with Next
File to Import Certificate Import Wizard

  • In the following Private key protection window, enter the Password for the certificate and click Next

Private key protection Certificate Import Wizard Password

  • On the Certificate Store page, make sure the Place all certificates in the following store option is selected and the certificate store is NTDS\Personal.
  • Confirm this with Next
Certificate Import Wizard Certificate Store Place all certificates in the following store NTDS\Personal

  • Confirm the settings with a click on Finish

Certificate Import Wizard Completing the Certificate Import Wizard

  • A message should then appear that The import was successful. Click on OK

Certificate Import Wizard The import was successful

  • Check the successful import. Expands the navigation area under NTDS\Personal > Certificates. Here you should see the imported certificate
Certificates - Service (Active Directory Domain Services) NTDS\Personal Certificates


Checking the connections

After installing a certificate, perform the following steps to verify that LDAPS and Signed LDAP (StartTLS) are working.

  • Connect to the first DC
  • Open a console there via Start > Run with the command mmc
  • Start the Active Directory Administration Tool (Ldp.exe)
ldp.exe Active Directory Administration Tool

  • Click on Connection and then on Connect

Connection Connect
  • Enter the name of the LDAPS server (e.g. Domain Controller or LDAP Load Balancer) you want to test
  • Change the port to 636 and check the box SSL to test LDAPS
  • Start the test with OK
Port 636 SSL Connect
  • Successful connection via LDAPS
Host supports SSL
  • Change the port to 389 and uncheck the SSL box to test signed LDAP (StartTLS)
  • Start the test with OK
Port 389 Connect
  • The LDAP connection is established
Connect ldap
  • Now click on Options > TLS > StartTLS to start Signed LDAP (StartTLS)
TLS StartTLS
  • Signed LDAP (StartTLS) could establish connection
ldap_start_tls

Check without certificate

For test cases you can delete the imported certificate from the DC again or connect against a DC without certificate. There you can try to establish the same connections.

NTDS\Personal Certificates
  • LDAPS connection (Port 636 SSL) not successful
Cannot open connection ldap_sslinit
  • LDAP connection (Port 389) still works
LDAP Connection ldap_open
  • But the switch to Signed LDAP (StartTLS) no longer works
Ldap_start_tls unavailable

Configure Citrix ADC

As mentioned above, the Citrix ADC with its DC connections may be affected by the upcoming change. Therefore here is a short instruction to change the required settings in the Citrix ADC.


Requirements

  • The domain controller has bound a certificate (Server Authentication) for LDAPS or Signed LDAP (StartTLS) (e.g. Wildcard Certificate)
  • If LDAPS is to be used, the affected firewalls must still be adapted (Port change from 389 to 636)


Authentication LDAPS Server

  • Connect to the Management IP of the affected system

Netscaler IP Management IP
  • Go in the navigantion panel to System > Authentication > Basic Policies > LDAP
System Authentication Basic Policies LDAP
  • Switch to the Servers tab
LDAP Servers
  • Open your existing LDAP server (here 10.0.0.4_LDAP)
LDAP Authentication Server
  • Change the Security Type to SSL, which directly change the Port to 636
LDAPS SSL Security Type Port 636
  • Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings
Test LDAP Reachability
Server is reachable

Another advantage of switching to LDAPS is that the user can change his password independently.

  • Activate the item Allow Password Change under Other Settings
Allow Password Change

CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Authentication Server IP> -serverPort 636 -secType SSL

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.4 -serverPort 636 -secType SSL


Authentication Signed LDAP (StartTLS) Server

  • Connect to the Management IP of the affected system
Netscaler IP Management IP
  • Go to System > Authentication > Basic Policies > LDAP in the Navigation Menu
System Authentication Basic Policies LDAP
  • Switch to the Servers tab
LDAP Servers
  • Open your existing LDAP server (here 10.0.0.4_LDAP)
LDAP Authentication Server

If the firewalls are not to be adjusted, Signed LDAP (StartTLS) can also be used in the Citrix ADC.

  • Change the Security Type to TLS, the Port remains at 389

  • Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings
Test LDAP Reachability

CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Authentication Server IP> -serverPort 389 -secType TLS

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.4 -serverPort 389 -secType TLS


Load Balanced LDAPS Server

TCP or SSL_TCP can be selected as Load Balancing Protocol for LDAPS. SSL_TCP is recommended for higher compatibility (e.g. with Linux appliances) (SSL termination is done on the Citrix ADC).

For existing LDAP load balancing, the following must be recreated for LDAPS:

  • Load Balancing Monitor
  • Load Balancing Service Groups
  • Load Balancing vServer
  • Connect to the Management IP of the affected system
Netscaler IP Management IP

Configuration LDAPS Monitor

  • Go to Traffic Management > Load Balancing > Monitors in the Navigation Menu
Traffic Management Monitors Load Balancing
  • Now click on Add, if you do not have an existing LDAPS monitor
Traffic Management Load Balancing Monitors LDAPS

  • Configure the new Monitor
    • Name (Name of the Monitor, e.g. LDAPS)
    • Type (Type of the Monitor, LDAP)
    • Password (The password of the Service Account stored under Bind DN)
    • Base DN (Domain names in LDAP format, e.g. dc=deyda, dc=local)
    • Bind DN (Service Account for communication with the AD, e.g. service_ldap@deyda.local)
    • Filter (Restriction of search results, cn=builtin)
    • Secure (Activate the Secure checkbox)
  • Confirm the entry with Create
Create Monitor Base Dn Bind DN Filter Type Secure
CLI Command
add lb monitor <Monitor Name> -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password <Password für Bind DN Benutzer> -secure YES -baseDN "<Base DN Pfad>" -bindDN "<Service Account für Connect>" -filter cn=builtin

Example:
add lb monitor LDAPS -scriptName nsldap.pl -dispatcherIP 127.0.0.1 -dispatcherPort 3013 -password Password1 -secure YES -baseDN "dc=deyda,dc=local" -bindDN "service_ldap@deyda.local" -filter cn=builtin


Configuration of the LDAPS Service Group

  • Go to Traffic Management > Load Balancing > Service Groups in the Navigation Menu
Traffice Management Load Balancing Service Groups
  • Now click on Add to create a new Service Group for LDAPS
Traffic Management Service Groups Load Balancing
  • Configure the new Service Group for LDAPS
    • Name (Name of the Service Group, e.g. LDAPS-svc_group)
    • Protocol (Protocol, SSL_TCP)
  • Confirm the entry with OK
Load Balancing Service Group Basic Settings
  • Click on No Service Group Member in the following window to include the existing DCs for LDAPS
Load Balancing Service Group Basic Settings No Service Group Member
  • Change the server methode to Server Based and click on Click to select if existing servers are to be included. If new servers are to be included, click Add
Create Service Group Member Server Based Click to select
  • Select the DCs that are configured for LDAPS and add them via Select
Servers Select
  • Configure the required port (636) and confirm the entry with Create
Create Service Group Member Port 636
  • In the following Load Balancing Service Group window, select Monitors on the right side
Load Balancing Service Group Advanced Settings Monitors
  • Now click on No Service Group to Monitor Binding to bind the previously created LDAPS Monitor
Monitors No Service Group to Monitor Binding
  • Now select the Monitor (here LDAPS) and confirm this with Select
Monitors LDAPS Select Load Balancing Monitor Binding
  • Confirm the integration of the Monitor by clicking on Bind
Load Balancing Monitor Binding Bind
  • Confirm the entries with Done. The Effective State must be displayed as Up
Service Groups LDAPS
CLI Command
add serviceGroup <Service Group Name> SSL_TCP
bind serviceGroup <Service Group Name> <Server Name> 636
bind serviceGroup <Service Group Name> <Server Name> 636
bind serviceGroup <Service Group Name> -monitorName <Monitor Name>

Example:
add serviceGroup LDAPS-svc_group SSL_TCP
bind serviceGroup LDAPS-svc_group 10.0.0.4 636
bind serviceGroup LDAPS-svc_group 10.0.0.5 636
bind serviceGroup LDAPS-svc_group -monitorName LDAPS


Configuration of the LDAPS virtual Server

  • Go to Traffic Management > Load Balancing > Virtual Servers in the Navigation Menu
Traffic Management Virtual Servers
  • Now click on Add to create a new Virtual Server for LDAPS
Traffic Management Load Balancing Virtual Servers
  • Configure the new Virtual Server for LDAPS
    • Name (Name of the Virtual Servers, e.g. LDAPS-LB)
    • Protocol (Protocol, SSL_TCP)
    • IP Address Type (IP Address)
    • IP Address (IP Address of the Virtual Server, e.g. 10.0.0.200)
    • Port (LDAPS Port, 636)
  • Confirm the entries with OK
Load Balancing Virtual Server Basic Settings IP Address Type Protocol Port
  • Click No Load Balancing Virtual Server ServiceGroup Binding in the following window to bind the newly created Service Group
Load Balancing Virtual Server Basic Settings Continue
  • Click on Click to select to get to the selection list of Service Groups
ServiceGroup Binding
  • Select the previously configured Service Group (LDAPS-svc_group) and add it via Select
  • Click Continue after binding
ServiceGroup Binding Service Groups
  • Click under Certificate on No Server Certificate
Certificate No Server Certificate
  • Now select a suitable certificate for this load balancer. Select a Wildcard certificate of the local domain (Wildcard-deyda-local) and confirm with Select
Traffic Management SSL SSL Certificate Server Certificates
  • Now click on Continue and then on Done

CLI Command
add lb vserver <Load Balancing Name> SSL_TCP <Load Balancing IP Adresse> 636 -persistenceType NONE -cltTimeout 9000 bind lb vserver <Load Balancing Name> <Service Group Name>

Example:
add lb vserver LDAPS-LB SSL_TCP 10.0.0.200 636 -persistenceType NONE -cltTimeout 9000 bind lb vserver LDAPS-LB LDAPS-svc_group


Configuration of the LDAPS Authentication Server

  • Go to System > Authentication > Basic Policies > LDAP in the Navigation Menu
System Authentication Basic Policies LDAP
  • Switch to the Servers tab
LDAP Servers
  • Open the existing LDAP server (here 10.0.0.4_LDAP) or create a new one
LDAP Authentication Server
  • Change the following settings of the existing Authentication Server
    • IP Address (IP Address of the LB Virtual Server, 10.0.0.200)
    • Security Type (Type of the connection, SSL)
    • Port (Port of the connection, 636)

      The port is automatically changed when SSL is selected under Security Type.
Authentication LDAP Server Configure
  • Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings
Test LDAP Reachability
Server is reachable port 636/tcp

Another advantage of switching to LDAPS is that the user can change his password independently.

  • Activate the item Allow Password Change under Other Settings
Allow Password Change
CLI Command
set authentication ldapAction <Authentication Server Name> -serverIP <Load Balancing IP Adresse> -serverPort 636 -secType SSL

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.200 -serverPort 636 -secType SSL


Load Balanced Signed LDAP (StartTLS)

If the firewalls should not be changed, Signed LDAP (StartTLS) should be used in the Citrix ADC. Nothing need to be adjusted in the load balancing chain for this, because port 389 is still used.

  • Connect to the Management IP of the affected system
Netscaler IP Management IP
  • Go to System > Authentication > Basic Policies > LDAP in the Nagivation Menu
System Authentication Basic Policies LDAP
  • Switch to the Servers tab
LDAP Servers
  • Open the existing LDAP server (here 10.0.0.4_LDAP) or create a new one
LDAP Authentication Server
  • Change the Security Type to TLS, the port remain at 389
Autentication Server TLS
  • Now you can test this change directly with Test LDAP Reachability. This can be found under Connection Settings
Test LDAP Reachability
Server is reachable port 389/tcp

CLI Command

set authentication ldapAction <Authentication Server Name> -serverIP <Load Balancing IP Adresse> -serverPort 389 -secType TLS

Example:
set authentication ldapAction 10.0.0.4_LDAP -serverIP 10.0.0.200 -serverPort 389 -secType TLS

You can visit me on my website: https://www.deyda.net or follow me on twitter: Manuel Winkel.



#CitrixADC
#NetScaler_Gateway
#Citrix_Gateway

Comments

13 days ago

There is no update in the 2nd half of 2020 to make this a requirement.  MS has backed off the requirement and it is simply now "recommended".  You may want to update the beginning of your article to not cause a panic.



Important: The March 10, 2020 updates, and updates in the foreseeable future, will not change LDAP signing or LDAP channel binding default policies or their registry equivalent on new or existing Active Directory domain controllers.

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirements-for-windows