Beware of GP Setting for LDAP Channel Binding Auditing
43 views
Skip to first unread message
Charles F Sullivan
Jun 20, 2024, 1:12:40 PM (13 days ago) Jun 20
to ntsys...@googlegroups.com
Following guidance in this article I wanted to enable auditing of LDAP Channel Binding in order to find potential problematic devices, as we have plenty of third party services which use AD:
The article says “Note Events 3039, 3074, and 3075 can only be generated
when Channel Binding is set to When Supported or Always.”
when Channel Binding is set to When Supported or Always.”
The setting had been Not Defined, which is the default. The Explain tab for the setting says "Default: This policy is not defined, which has the same effect as When Supported."
It also says "When supported: Clients that advertise support for Channel Binding Tokens must provide the correct token when authenticating over TLS/SSL connections; clients that do not advertise such support and/or do not use TLS/SSL connections are not impacted. This is an intermediate option that allows for application compatibility."
A couple of days ago I switched the setting from Not Defined to When Supported in order to start auditing the related events. This broke DUO authentication, which in turn caused VPN login to fail.
Microsoft's words around this seem pretty unambiguous, but clearly "When Supported" is not the same as "Not Defined".
Of course this was seen by management as me having made a security change without proper change control. I wouldn't argue that point, but be aware of this.
--
Charlie Sullivan
Principal Windows Systems Administrator
Michael B. Smith
Jun 20, 2024, 1:31:21 PM (13 days ago) Jun 20
to ntsys...@googlegroups.com
Huh. Good to know. Thanks for the info.
--
You received this message because you are subscribed to the Google Groups "ntsysadmin" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
ntsysadmin+...@googlegroups.com.
To view this discussion on the web visit
https://groups.google.com/d/msgid/ntsysadmin/CAEuHzznWJ9zeQGjfpp47RmzB%2Bf0VZBkOMkgDNAHZkACvfmUqzg%40mail.gmail.com.
Kurt Buff
Jun 20, 2024, 4:46:12 PM (13 days ago) Jun 20
to ntsys...@googlegroups.com
Since we use Duo for our VPN gateway, which authenticates against AD, this is very good to know.
I think I'll start a Change Management ticket before trying this.
Kurt
--
Reply all
Reply to author
Forward
0 new messages