You are viewing limited content. For full access, please sign in.

Question

Question

Securing LDAP Connections to Domain Controllers for Laserfiche System

Laserfiche Administration Forms Directory Server Security
Updated June 5, 2020
asked on February 5, 2020

I am working with a client that is currently working on their systems that won't be able to communicate with their Domain Controllers anymore after Microsoft releases the patch(s) that require secure channel LDAP binding and signing. The information on these patches can be found at the link below.

 

https://support.microsoft.com/en-us/help/4520412/2020-ldap-channel-binding-and-ldap-signing-requirement-for-windows

 

The client is seeing messages showing that their Repository server and their 3 web servers aren't using secure LDAP to communicate with the Domain Controllers. The messages within the Windows Directory Services event logs say that "The following client performed a SASL (Negotiate/Kerberos/NTLM/Digest) LDAP bind without requesting signing (integrity verification), or performed a simple bind over a clear text (non-SSL/TLS-encrypted) LDAP connection."

 

I can see that setting up the repository to connect to LDAP within the administration console under LDAP Management, but I don't think this would do anything for this client. The client uses accounts under Windows Accounts which are all licensed from the Directory Server. Both of those services reach out to validate to the Domain Controllers, as well as their Forms servers. 

 

Is there a way to get all of the connections from the various applications that users would authenticate with Windows credentials to use SSL/TLS for the LDAP requests they make to the Domain Controllers?

 

Thanks,

Cody

0 0

Answer

APPROVED ANSWER
replied on June 5, 2020

KB 1014157 was published: no issues were discovered in our testing and Laserfiche is compatible with the new default security settings. 

In addition to the LFDS documented I linked above, there is a note in the KB about what error will occur in Forms if SSL is incorrectly configured.

1 0

Replies

replied on February 5, 2020

Hi Cody,

We're investigating and we will update when we have an answer.

Thank you for the clear post and error information, and my apologies that we don't have an answer for you at this time.

1 0
View 6 previous replies
replied on February 5, 2020

@████████

For Directory Server, have you enabled the "SSL" option under the identity provider settings?

That should force it to use LDAPS (encrypted LDAP) instead of unencrypted, as long as a certificate has correctly been configured on the domain controller to support LDAPS.

0 0
replied on February 6, 2020

Hi Briana,

 

I don't believe it's been set quite yet, no. Would this cause all of the other applications to also use that though, such as Forms and Laserfiche server? I'll get that set for the Directory Server regardless since that's a big part of those connections.

 

Thanks!

Cody

0 0
replied on February 6, 2020

No, it would not affect other applications' communication with the domain controller.

If you have LDAP profiles for the Laserfiche server, there is an SSL option:

 

If you are using Directory Server for Forms authentication, I don't think Forms needs to have LDAP settings configured.

If you are using repository authentication for Forms and have LDAP Forms Authenticated Participants, you can set LDAP to use SSL from the "System Security" page under Forms Administration:

I'm not sure what other settings you may need to adjust, but I'd start there.

0 0
replied on February 25, 2020

What about if the client is not using an LDAP profile, but is using Windows Accounts? Does that use the LDAP protocol and would it be affected by this?

0 0
replied on February 25, 2020

It would potentially be; we are looking into it.

Note that Microsoft's timeline for the major changes has changed to "mid 2020".

0 0
replied on March 16, 2020

Are there any updates to this?  Is Laserfiche still looking into it?

2 0
replied on May 8, 2020

Any updates on this?

0 0
replied on May 13, 2020 Show version history

We have a KB in progress. I believe there were no blocker issues discovered in any Laserfiche product and the KB detailing the results should be available soon.

As such, if you are experiencing issues with the restrictive settings enabled, it is likely an issue with configuration (e.g., missing a step in SSL configuration) rather an any incompatibility with the LDAP requirements changes.

 

LFDS documenation has a new section based on that testing for error messages that imply specific configuration issues:

https://www.laserfiche.com/support/webhelp/Laserfiche/10/en-us/administration/Default.htm#../Subsystems/LFDS/Content/LDAPSecurityErrorMessages.htm

0 0
APPROVED ANSWER
replied on June 5, 2020

KB 1014157 was published: no issues were discovered in our testing and Laserfiche is compatible with the new default security settings. 

In addition to the LFDS documented I linked above, there is a note in the KB about what error will occur in Forms if SSL is incorrectly configured.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...