Microsoft update to enforce LDAP Signing and LDAP Channel Binding

  • Updated
Description

As of January 2020 Microsoft has released an update that will enforce both LDAP Signing and LDAP Channel Binding on all supported Windows versions. Below are some considerations based on teh supported CMS systems that Episerver currently supports.

Steps

Episerver:

The only built-in component in the Episerver CMS that communicates with Active Directory using LDAP is ActiveDirectoryRoleProvider, so it is only those who uses that provider that might get affected.
The ActiveDirectoryRoleProvider is built upon the types in System.DirectoryServices (part of .NET Framework). The Episerver implementation exposes configuration for the underlying systemtypes, as for example 'connectionProtection' which is an enum of like https://docs.microsoft.com/en-us/dotnet/api/system.directoryservices.authenticationtypes?view=netframework-4.6.1
As long as the used types in System.DirectoryServices in .NET Framework support the new requirements so should Episerver.
An example of how to configure the provider can be found on the below blog post:
https://josefottosson.se/how-to-configure-episerver-to-use-active-directory/

Ektron:

Ektron's LDAP feature only verifies login information leveraging System.DirectoryServices inside .Net Framework. Because of this no updates on Ektron CMS are needed for this change.