Topics

Impacts by enabling LDAP Signing and LDAP Channel Binding (ADV190023) on Active Directory Domain Controllers

February 19, 2020

Dear Customers,

We deeply appreciate your constant patronage to our products.

As you may know, Microsoft has recently announced that to increase the security of LDAP communication in Active Directory environment, LDAP Signing and LDAP Channel Binding will be enabled by default with future Windows security update in the second half of calendar year 2020.

On February 4, 2020, Microsoft announced that the original plan to enable above settings in March 2020 has been postponed to the second half of calendar year 2020 and that a new group policy will be added, with which the above settings can be disabled in advance in March 2020.

Information available from Microsoft

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

https://portal.msrc.microsoft.com/en-us/security-guidance/advisory/ADV190023

Konica Minolta has been investigating any impacts on our products affected by this update. So far, we have already known that the LDAP supporting functions will not work on some products when the above settings are enabled. Please review the following impacts and apply the workaround. Our investigation will be continued. Once any update is available, we will inform you in a timely manner.

Impact on LDAP supporting function of target products

Problem 1: External server authentication by entering the user name and password from the control panel and printer driver fails with the following settings.
- Server type: Active Directory
- Server type: LDAP (except SSL/TLS is enabled and the authentication method is set to Simple.)

Problem 2: Authentication fails unless SSL/TLS is enabled and the authentication method is set to GSS-SPNEGO with the following functions.
- LDAP-IC card authentication
- Simple print authentication
- LDAP address search

Workaround

Problem 1: If the server type of external server authentication is Active Directory, there is no workaround on the MFP side. Please be sure to disable LDAP Signing and LDAP Channel Binding in advance on the domain controller side with the new group policy which will be provided by Microsoft in March until the countermeasure firmware is available. Please wait for the information from Microsoft for the detailed procedure of the setting. (The setting procedures have not been announced as of February 10, 2020.)
If the external server type is LDAP and the server supports LDAPS, please enable SSL/TLS and set the authentication method to “Simple” on MFP.

Problem 2: If the server supports LDAPS, please enable SSL/TLS on MFP and set the authentication method to “GSS-SPNEGO”.

Thank you for your support and cooperation.

Best Regards,
Support Operation Division
Konica Minolta, Inc.

^*Please check for updated information.

Back to Newsroom Top