Topics

Revised: Impacts by enabling LDAP Signing and LDAP Channel Binding (ADV190023) on Active Directory Domain Controllers

April 10, 2020

Dear Customers,

We deeply appreciate your constant patronage to our products.

Microsoft had previously announced that to increase the security of LDAP communication in Active Directory environment, LDAP Signing and LDAP Channel Binding would be enabled by default with future Windows security update in the second half of calendar year 2020.

However; on March 10, 2020, Microsoft formally announced that the company will not release Windows security update that forcibly enable LDAP signing or LDAP channel binding in the foreseeable future.

Information available from Microsoft

ADV190023 | Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing

  • There will be no impact on our products, as the scheduled security enhancement will not be released from Microsoft.
  • If you would like to enable the above setting by yourself on Active Directory domain controller to enhance the security, it will affect the LDAP supporting function on some of our products. Therefore, please review the following impacts and workarounds beforehand. Also, please be noted that depending on your network environment, the authentication speed may be affected, so we recommend that you perform a test in advance.

Impact on LDAP supporting function of MFP when enabling LDAP Signing and LDAP Channel Binding

Problem 1: External server authentication by entering the user name and password from the control panel and printer driver fails with the following settings.

  • Server type: Active Directory
  • Server type: LDAP (except SSL/TLS is enabled and the authentication method is set to Simple.)

Problem 2: Authentication fails unless SSL/TLS is enabled, also the authentication method is set to GSS-SPNEGO with the following functions.

  • SLDAP-IC card authentication
  • Simple print authentication
  • LDAP address search

Workaround

Problem 1: If the server type of external server authentication is Active Directory, there is no workaround on the MFP side. Please hold not to enable LDAP signing until upcoming countermeasure firmware is available.
If the external server type is LDAP and the server supports LDAPS, please enable SSL/TLS and set the authentication method to “Simple” on MFP.

Problem 2: If the server supports LDAPS, please enable SSL/TLS on MFP and set the authentication method to “GSS-SPNEGO”.

Thank you for your support and cooperation.

 

Best Regards,
Support Operation Division
Konica Minolta, Inc.