Updates by Microsoft to secure Active Directory /LDAP interfaces has critical impacts

Posted on March 23, 2020 by · Posted in Uncategorized

March 2020

Microsoft is planning to release a security update in March 2020 that will required signing in requirements for LDAP and active directory connected applications.   This might impact Web+Center and other AD connected applications on your network!   The article below finds that many network devices and applications could be impacted.

Overview:
In August 2018, Microsoft issued a security advisory ADV190023 Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing about unsigned LDAP communication blocking in Active Directory starting in March 2020.

We invite you to review the full article and review the questions/answers at the end of this website article on this issue at

Description:

In March 2020, Microsoft is going to release a security update that will reject all incoming connections on domain controllers using unsigned LDAP. Using default OS configuration, Microsoft clients and servers do not require message signing when authenticating and communicating over LDAP. This means that if you don’t prepare your network to require LDAP signing will fail to communicate to domain controllers. On the other hand, domain controllers will stop receiving unsigned messages. Consequences will result in a massive domain outage.

For Web+Center users that have enabled Integrated Active Directory Logins for customers, the Web+Center software does not used LDAP signing.  We are not sure yet as the patch has not yet been released, we are just being proactive in notifying our Web+Center user community of this potential update.  In addition to Web+Center customers users not able to log in using integrated, other applications that you have installed on your system could also be impacted.  The article link above reveals that printers and firewalls that use directory services too fail to function too.

Solutions and your expert AD experience feedback needed!

It is difficult for us to debug this issue as we don’t have large Windows based domain controller environment to test with.  We also suspect that our Web+Center clients probably have more seasoned Active Directory experts on staff that can better access the risks and potential impacts.   We are asking our Web+Center community to collectively share with us to better understand the update coming and help test and develop some potential code solution changes that will enable Web+Center to work with the security update and signed LDAP interfaces.  We anticipate that our configurable Active Server Page VB code that calls the LDAP interface can be easily modified to support the newer signed requirements.  When we get feedback from our users, we will share it back to our Web+Center community.

Understanding and debugging this issue

The one Web+Center module that makes the LDAP call is the DoAutoLogin.asp module located in the customercenter directory.  (A very similar module also exists in the CustomerMobileDirectory called DoAutoLoginMobile.asp).

For those that have time to research this, the code that makes the LDAP call is all located in the ShowValue() subroutine in the DoAutoLogin.asp module.

CODE:
Set Conn = CreateObject(“ADODB.Connection”)
‘ (following line fails in Linux environment)
Conn.Provider = “ADSDSOObject”

If username = “” and password = “” Then
Conn.Open “ADs Provider”
If debugmode <> “” then
response.write “Connecting to ADs Provider without username and password<p>”
response.flush
End If
Else
Conn.Open “ADs Provider”, username, password
If debugmode <> “” then
response.write “Connecting to ADs Provider with the provided username and password <p>”
response.flush
end if
End If

Set rs = Conn.Execute(SQL)

We have reviewed the Microsoft OLE DB provider options for Microsoft Active Directory Services from this MS article below that provides some options to call directory services with secure options that could be integrated and tested with our DoAutoLogin.asp module.

https://docs.microsoft.com/en-us/sql/ado/guide/appendixes/microsoft-ole-db-provider-for-microsoft-active-directory-service?view=sql-server-ver15

If there are Web+Center users who have enabled Active Directory Integration for Customer logins and researched or enabled this update, we are wondering if some users can perform some testing by creating a similar DoAutoLogin.asp module in the customercenter directory that uses a slightly modified connection string to provide the call to the OLE DB connection for Active Directory Service.

Prevention of disruption of service

It appears there are options to disable this change to your Active Directory Service  (see first article link) if this updates takes you and your network by surprise and you have failures with connecting with Web+Center or other AD integrated applications.

If you have researched this issue or have already installed the update or running signed Active Directory services, we would like to help inform other uses of your changes, solutions, recommendations so we can share them with our Web+Center community.

Please contact Internet Software Sciences at support@inet-sciences.com or at 650 949-0942 with any information you may have gathered already.  We are already working with a few educational entities who have identified this as a potential issue to them and looking for others to share their knowledge too.

Other Work arounds
Web+Center supports two customer login methods.  One is the default Web+Center username /password login where the password is stored in the Web+Center database.  The second customer login method is the integrated Windows Directory Services LDAP/AD method where we authenticate the customer using AD.  The SAMACCOUNTNAME value is stored in the same username field in both cases, but never get access the Active directory password and store it in Web+Center.

Typically Web+Center is configured to run in either mode (Web+Center Customer logins or Integrated AD) . Web+Center can also be run in dual mode where customer log into Customer+Center with AD or log into Customer+Center with a username and password stored in the Web+Center database.

To run in this dual mode, some simple changes in the Default.asp module can be done.  Customer accounts created with AD and associated cases will be preserved and it is possible to transition customers to create a Web+Center Login/password through an email reset.   To enable this Web+Center customer login method while you have AD customer logins enabled too, simply find this line of code below and un-comment it by removing the leading single quote characters

Change #1:

Change the line from
‘ShowCCLogin = “YES”
TO
ShowCCLogin = “YES”         (leading single quote character removed)

Change #2:
Modify this line that is before the code that displays the Password Reset/Recovery button code:

<% If LDAP_Enabled <> “1” Then %>

TO

<% If LDAP_Enabled = “1” Then %>

Conclusions:
Feel free to contact us if you have questions or issues.  We are trying to be proactive here for the stability of your Web+Center application and the stability of your network overall.